[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: [Qemu-devel] FreeOSZoo submission guideline update proposal

From: blacknoz
Subject: Re: Re: [Qemu-devel] FreeOSZoo submission guideline update proposal
Date: Thu, 8 Jul 2004 10:06:36 CEST

----Message d'origine----
>De: Jean-Michel POURE <address@hidden>
>A: address@hidden
>Sujet: Re: [Qemu-devel] FreeOSZoo submission guideline update proposal
>Date: Thu, 8 Jul 2004 08:35:22 +0200
>Copie à: 
>Le jeudi 8 Juillet 2004 00:19, Michael Jennings a écrit :
>> What steps are being taken by the FreeOSZoo folks to ensure that these
>> images are secure and not trojaned?
>We deliver the image with an MD5 sum. The images are installed using legacy 
>installers downloaded from the original sites.
>Do not hesitate to propose us other solutions.

that's a point I wanted to clear (maybe we are driving too fast:)...
MD5 is not enough unless signed with a known and verified gpg key or a similar 
mechanism... I intend to sign the MD5 file with my gpg key but it's of no real 
interest as this one is not trusted by anybody at the moment. It only certifies 
that the image is the one I uploaded and so you should trust me I didn't put 
malicious code in it... (should update submission guideline about this)

I think we have no real good way to verify images uploaded by other people than 
us and the one we really trust. And even with people we trust, we can't certify 
that anybody put a trojan or such bad things in them. By the way, that's not a 
"problem" specific to the freeoszoo...

(I love the way debian do the things on this particular topic, but  IHMO 
freeoszoo seems to small to put such procedure in place.)

Any suggestions are welcome.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]