Re: Contributed packages and trust problem ?

It's rumoured that Raphaël Enrici once said:
> Dave Page wrote:
>
>>>-----Original Message-----
>>>From: Raphaël Enrici [mailto:blacknoz(at)club-internet(dot)fr]
>>>Sent: 09 August 2003 19:14
>>>To: pgadmin-hackers(at)postgresql(dot)org
>>>Subject: [pgadmin-hackers] Contributed packages and trust problem ?
>>>
>>Never considered it in the past as I always did the builds. I think it
>>is a valid problem though. Is there any way we can sign the source code
>>such that when it's compiled we can verify that it was unmodified
>>source?
>>
> Never heard about something like this....

No, me neither. Perhaps it'll make a topic for my dissertation...

>>What did you have in mind, a pgp sig for each file? I don't see that as
>>a problem for each packager to create.
>>
>>
> As RPM and DEB packages integrates gpg signatures, I just wanted to
> know if their were a pgp/gpg key global to the pgAdmin team, something
> that was used to sign the files of the project like binaries, sources,
> etc. I'm ok to sign deb package by myself.
> And wanted to know if you used by the past to sign the files ? For
> example the source tarball and win32 packages.

No, there is no 'global' key. That would probably be pretty insecure. I
would think that a pgp/gpg sig from the packager would suffice - it would
at least prove that the file hadn't been tampered. Mind you, it doesn't
prevent someone packaging their own version and pretending they are the
official packager. Perhaps I should sign everything?
Regards, Dave.