From: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
---|---|
To: | <blacknoz(at)club-internet(dot)fr> |
Cc: | <pgadmin-hackers(at)postgresql(dot)org> |
Subject: | Re: Contributed packages and trust problem ? |
Date: | 2003-08-10 08:13:34 |
Message-ID: | 50176.80.177.99.193.1060503214.squirrel@ssl.vale-housing.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-hackers |
It's rumoured that Raphaël Enrici once said:
> Dave Page wrote:
>
>>>-----Original Message-----
>>>From: Raphaël Enrici [mailto:blacknoz(at)club-internet(dot)fr]
>>>Sent: 09 August 2003 19:14
>>>To: pgadmin-hackers(at)postgresql(dot)org
>>>Subject: [pgadmin-hackers] Contributed packages and trust problem ?
>>>
>>Never considered it in the past as I always did the builds. I think it
>>is a valid problem though. Is there any way we can sign the source code
>>such that when it's compiled we can verify that it was unmodified
>>source?
>>
> Never heard about something like this....
No, me neither. Perhaps it'll make a topic for my dissertation...
>>What did you have in mind, a pgp sig for each file? I don't see that as
>>a problem for each packager to create.
>>
>>
> As RPM and DEB packages integrates gpg signatures, I just wanted to
> know if their were a pgp/gpg key global to the pgAdmin team, something
> that was used to sign the files of the project like binaries, sources,
> etc. I'm ok to sign deb package by myself.
> And wanted to know if you used by the past to sign the files ? For
> example the source tarball and win32 packages.
No, there is no 'global' key. That would probably be pretty insecure. I
would think that a pgp/gpg sig from the packager would suffice - it would
at least prove that the file hadn't been tampered. Mind you, it doesn't
prevent someone packaging their own version and pretending they are the
official packager. Perhaps I should sign everything?
Regards, Dave.
From | Date | Subject | |
---|---|---|---|
Next Message | Jean-Michel POURE | 2003-08-10 08:22:52 | Re: BUGS.txt and TODO.txt files |
Previous Message | Jean-Michel POURE | 2003-08-10 08:07:46 | BUGS.txt and TODO.txt files |