[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] DSIG - Re: Freetype-devel Digest, Vol 130, Issue 8
From: |
Hin-Tak Leung |
Subject: |
Re: [ft-devel] DSIG - Re: Freetype-devel Digest, Vol 130, Issue 8 |
Date: |
Tue, 10 Nov 2015 07:37:31 +0000 |
------------------------------
On Tue, Nov 10, 2015 4:21 AM GMT Werner LEMBERG wrote:
>
> But I think signing is a good thing - not from the security point
> of view, but of making font designers (or rather, font modifiers)
> less callous about doing ad hoc modification of fonts. I think
> requiring signing - or even just *showing* the DSIG status - of
> fonts would improve the general quality of them.
>
> There's water under that bridge already. Neither WOFF nor WOFF2
> maintain the exact byte sequence in a font.
>
>And integrity checks at installation time can be easily done with an
>external MD5 or sha256 checksum, which is far easier to handle.
>
DSIG is equivalent to having an internal md5 or sha1 checksum (i have only seen
these two used, but up to 7 other digest algorithms are allowed, if i read the
spec correctly) as well as saying 'who' did the checksum, so it is marginally
better, though yes, neither generating such nor verifying such is easy at the
moment... Hopefully this will improve soon.