[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Secure packaging
From: |
David Shaw |
Subject: |
Re: [Sks-devel] Secure packaging |
Date: |
Fri, 5 Dec 2003 14:46:59 -0500 |
User-agent: |
Mutt/1.5.5i |
On Fri, Dec 05, 2003 at 08:38:02PM +0100, Peter Palfrader wrote:
> On Fri, 05 Dec 2003, Dan Egli wrote:
>
> > > Distribute a detached signature alongside the tarball.
>
> > The best method I actually ever saw, albeit a bit paranoid, was to md5
> > sum the file, then NON-detached sign the md5 file.
> >
> > here's an example from the Knoppix linux distrubitions
> >
> > 8f841bae907f828ed7a36a0213746ab1 *KNOPPIX_V3.3-2003-11-19-EN.iso
>
> Why would this be better? It requires more steps to create, it requires
> more steps to verify, and it adds nothing from a security PoV.
It's useful if the item you are distributing is larger than one
"file". For example, Red Hat distributes 6 or more ISOs for each
release, and instead of making a detached signature for each, they MD5
all of them in a single file and sign that file.
It's not a security thing. Just a convenience thing. There is no
benefit if there is only one file being distributed.
David