Re: Reflections on Trusting Trust

From: Kris Kennaway (kris_at_obsecurity.org)
Date: 11/30/05

  • Next message: Colin Percival: "Re: Reflections on Trusting Trust"
    Date: Tue, 29 Nov 2005 18:33:16 -0500
    To: Kris Kennaway <kris@obsecurity.org>
    
    
    

    On Tue, Nov 29, 2005 at 06:27:03PM -0500, Kris Kennaway wrote:
    > On Tue, Nov 29, 2005 at 01:36:31PM -0200, aristeu wrote:
    > > I'm new here, and I've posted only once. I just want to add my "just
    > > another user" opinion on this...
    > >
    > > Signing security advisories that sends the hashes for a file does a nice
    > > job.
    > >
    > > I think the only problem that exists is the package/ports deployment. I
    > > belive we can't trust only on hashes for this (tar already does a fine job
    > > on integrity...), because it can be easily circunvented. Maybe trusting
    > > this it is the real weakest link...
    >
    > I'd be happy to work with someone who can implement a solution for the
    > package side.

    Also, pkg_sign(1) has existed for a long time, but needs the support
    infrastructure to make it usable.

    Kris

    
    



  • Next message: Colin Percival: "Re: Reflections on Trusting Trust"