[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5639) Digital (PGP-)signature for downloadable sources

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
From: h.b.furuseth@usit.uio.no
Date: Mon, 4 Aug 2008 20:56:54 GMT

Kurt@OpenLDAP.org writes:
>On Aug 4, 2008, at 2:06 PM, h.b.furuseth@usit.uio.no wrote:
>> Kurt@OpenLDAP.org writes:
>>> I note as well that properly deploying release signing requires
>>> more than script modification.  For instance, one does need to
>>> consider that the host to sign the releases might itself been
>>> taken over and the implications of such a takeover.
>>
>> For that part, signatures in the 'https:' site would help.
>
> I think you need to re-think that assertion.

Er, yes, I was thinking of the "outside" equivalent, hacking DNS and
"taking over" that way.  I have the impression that's the most common
way to "take over" a site, but I may be wrong.

-- 
Hallvard

Prev by Date: Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
Next by Date: (ITS#5644) make test000 core dumps
Index(es):
- Chronological
- Thread