Re: [Sks-devel] Secure packaging

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Secure packaging

From:	David Shaw
Subject:	Re: [Sks-devel] Secure packaging
Date:	Fri, 5 Dec 2003 14:46:59 -0500
User-agent:	Mutt/1.5.5i

On Fri, Dec 05, 2003 at 08:38:02PM +0100, Peter Palfrader wrote:
> On Fri, 05 Dec 2003, Dan Egli wrote:
> 
> > > Distribute a detached signature alongside the tarball.
> 
> > The best method I actually ever saw, albeit a bit paranoid, was to md5 
> > sum the file, then NON-detached sign the md5 file.
> > 
> > here's an example from the Knoppix linux distrubitions
> > 
> > 8f841bae907f828ed7a36a0213746ab1 *KNOPPIX_V3.3-2003-11-19-EN.iso
> 
> Why would this be better?  It requires more steps to create, it requires
> more steps to verify, and it adds nothing from a security PoV.

It's useful if the item you are distributing is larger than one
"file".  For example, Red Hat distributes 6 or more ISOs for each
release, and instead of making a detached signature for each, they MD5
all of them in a single file and sign that file.

It's not a security thing.  Just a convenience thing.  There is no
benefit if there is only one file being distributed.

David

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] Secure packaging, Yaron M. Minsky, 2003/12/05
- Re: [Sks-devel] Secure packaging, David Shaw, 2003/12/05
- Re: [Sks-devel] Secure packaging, Peter Palfrader, 2003/12/05
  - Re: [Sks-devel] Secure packaging, Dan Egli, 2003/12/05
    - Re: [Sks-devel] Secure packaging, Peter Palfrader, 2003/12/05
    - Re: [Sks-devel] Secure packaging, David Shaw <=
    - Re: [Sks-devel] Secure packaging, Thomas Sjögren, 2003/12/05

Prev by Date: Re: [Sks-devel] Secure packaging
Next by Date: Re: [Sks-devel] Secure packaging
Previous by thread: Re: [Sks-devel] Secure packaging
Next by thread: Re: [Sks-devel] Secure packaging
Index(es):
- Date
- Thread