cvs-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI BSD


From: Mark D. Baushke
Subject: Re: [Cvs-dev] Re: [Cvs-test-results] CVS trunk testing results (BSDI BSD/OS)
Date: Mon, 08 May 2006 12:00:53 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek R. Price <address@hidden> writes:

> Jim Hyslop wrote:
> > >warns if the "latest gpg" version number is out of date?  Am I going
> > > overboard?
> >   
> >
> > Depends on your perspective :=) From the security point of view, not in
> > the least. Some paranoi^H^H^H^H^H^H^H conscientious security people
> > might say you aren't going far enough.
> 
> What about the doc patch?  Acceptable?

I think I would rather see a single copy of the

@strong{WARNING: Due to the sensitive nature of
OpenPGP implementations, if you intend to employ
CVS commit signatures as a security precaution, it
is recommended that you make sure you are using an
OpenPGP implementation with all the available
security fixes. Check with the vendor of your
OpenPGP implementation for information on its
latest version.}

text that is referenced rather than ten distinct
copies of it.

> > I think we should not test for a specific
> > revision of GPG. Keeping GPG up to date is
> > outside the scope of CVS. We should take every
> > reasonable effort to ensure that CVS works
> > properly with the latest version of GPG, and
> > to that extent we should ensure that sanity.sh
> > tests pass properly.
> 
> I agree that actually keeping GPG up-to-date is
> outside the scope of CVS, but I do still feel
> that if I'm going to advertise a new feature as
> secure, it would be polite to at least warn
> potentially new users who might be somewhat
> ignorant of security matters and inclined to
> trust CVS that there may be issues involved in
> keeping their GPG up-to-date.
> 
> At least, those users savvy enough to read the
> CVS manual or run sanity.sh, anyhow. :)
> 
> > It would probably be helpful to have a
> > reminder for the maintainers to make sure it's
> > up to date, and possibly allow the reminder to
> > be user-configurable for those users who may
> > want to be reminded as well.
> 
> Well, a reminder means a --version test, doesn't
> it?

No. It does not. 

    1) There are at least two viable
       implementations of the OpenPGP standard as
       provided by RFC 2440. One is under the GPL
       and the other is a commercial product. The
       OpenPGP should try to be agnostic as to the
       particular implementation chosen.

    2) Some vendors have been known to patch
       security concerns into down-revision
       releases of software. There is no way to
       know if 'gpg --version' which returns a
       '1.2.3' is or is not the latest version of
       the tool for a particular host operating
       system or not.

> What about, like I said, a hard-coded value in
> sanity.sh that only causes a loud warning to be
> printed about updating GPG, with a hook in `make
> distcheck' to poll gnupg.org and see if there is
> a more recent general release version available
> for download than is specified in sanity.sh?

If you know that it is 'gnupg.org' that you can
check, maybe you could print out the latest
version if you can figure it out easily. 

However, what if it is pgp from NAI (www.pgp.com)?
The pgp.com folks are interesting in telling you
the latest, but you need to fill out a form which
includes the hardware and operating system and
name of the user asking....

Also, I know that www.pgpi.org is not always
accepting connecitons. The last time I looked
(last month), they still had 2002/12/03 PGP 8.0
released as the 'Latest news' on the front page
and their download site had:

  GnuPG 1.0.7
  PGP 2.6.3i
  PGP 5.0i
  PGP 6.5.1i
  PGP 6.5.8

as the Freeware versions of UNIX available for
download.

        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEX5VjCg7APGsDnFERAu3ZAKDSv25DOPWueuS36rX/CQzuADcQPACfVlrw
JXfzaGhhv708f8zI6+S0I/U=
=qcP6
-----END PGP SIGNATURE-----




reply via email to

[Prev in Thread] Current Thread [Next in Thread]