![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sun, 21 Apr 2013 10:05:53 -0700
On 04/20/13 01:39 PM, Solar Designer wrote:
I just found this recent blog post by Allan McRae of Arch Linux: http://allanmcrae.com/2012/04/how-secure-is-the-source-code/ Thank you for doing this, Allan! Are you contacting the upstream authors to request that they start to properly sign their releases? (I've been doing that on some occasions, sometimes with success.)
Coming from one of the common upstreams (X.Org), it would really be helpful if there was a "Best Practices" page we could reference, since we've gotten a couple complaints that we're not doing enough, but not concrete enough suggestions that we can go modify our release script to implement them. (Currently we include MD5, SHA1, & SHA256 checksums in the release announcement e-mails, which we tell maintainers to pgp sign with their own keys when sending - though unfortunately most of the mailing list archives break the ability to verify when they mangle email addresses to prevent spam harvesting from their archives.) If there was a common standard, with instructions, we'd be far more likely to spend the time to adopt it, than just a "make signatures appear somewhere, in an unspecified format". -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Current thread:
- upstream source code authenticity checking Solar Designer (Apr 20)
- Re: upstream source code authenticity checking Alan Coopersmith (Apr 21)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 21)
- Re: upstream source code authenticity checking Jeremy Stanley (Apr 21)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Stuart Henderson (Apr 22)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Allan McRae (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
(Thread continues...)
- Re: upstream source code authenticity checking Alan Coopersmith (Apr 21)