|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen signing and wget
On 07/06/10 17:34, Keir Fraser wrote: > On 06/07/2010 16:27, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx> > wrote: > >>>> But you use plaintext connection, which, in security, means random code. >>>> I think we have already went through this last time when discussing the >>>> signing process for Xen ;) >>> >>> Okay, then make a patch, including hashes for our current collection of >>> downloads. >> >> I'm not a Xen developer. I do not sign your tarballs... > > Perhaps best then to sign the tarballs we have on xenbits, and verify the > signatures when we download tarballs. Ian Jackson might pick that up as a > work item. > For me (=user) that would be just fine, but I think *for you* (=vendor) it might be better to just generate a list of hashes via md5sum and include this file (say 'sources') in your tarball, and get your Makefiles just do md5sum -c sources after it downloads them. The difference is subtle, but I think you show this way that these are external components, originally not signed, not created by you (but only somehow verified, hence the hash). If you sign something with your key, it suggests you have somehow generated it yourself. I know it's subtle. joanna. Attachment:
signature.asc _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |