oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 26 Apr 2013 02:46:23 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/26/2013 02:25 AM, Dag-Erling Smørgrav wrote:
Kurt Seifried <kseifried () redhat com> writes:This makes no sense. So you don't trust their signature because they have to "earn trust", but you do trust their software and you compile and run it? That's literally insane.This is exactly the logic used by web browsers to justify scaring users away from https sites that haven't payed the Verisign tax... DES
Huh? That makes no sense. There's at least one free CA that has a root cert in most browsers (http://cert.startcom.org/). I'm sorry but your comment in this context doesn't appear to make any sense. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRej7eAAoJEBYNRVNeJnmTaWEP/jQqCT87jW2ck+/aWMmgsgvb W/LKA5TfJQhFyHmthYTy696imwShlETBPbfHzddJTiT3HSRe8ThxeXttq/c0yYC0 ZDNI92fYTIqnmeou9DpuyNmliJIWlSfPUVU0tNGQMYvvxyy38wy9iYoand3v5M0R JtUwFgHW51u5LZnH68cXT9zal8nEUtJ3L054sttyZGvRLMI8c9ZF194iLWJj29aE gDrub9BAfaxo/4q65HdwL8WToCPEFwVH5i0Vp2mbbizvDANqTikULcrznkKnyYTp boGQ2mQTF2NvWYlwbXCt6MvJXLMegSgGUeKcebuLtMPizhpGuACRMyJ2ALL/VYzG 8xmnrUqA54xnrRhi9j1CcdqYi4GPoAnLtrSW4pw0ljH0FNHb45sq4km+l+UUghOp uzPXqhDVApCy6FtTNc6D9kYxigyJipL0Qb5A1r2nRIiIVi2nW9Hcl5IkdGhCjnK0 hDEuq+FqkbiBsH9nGvFHBCMYPBFnd6n9cZdYIu7aM4EG0of4KIBadkdO9Biyt8fW t8IFDPzUoERRp7DqByD1PQntTezaRNHsdmQEiQT7RyAAXM9pyeIIB2ph49UQFsl2 GsTKOoTSIyR3zdwsnk+AVKoVHp9AzpfQFyEeLd/D+uCM/XcHdAou70KpmJRxHwKT JCYXHqRQD3/isSd4Nzf8 =ZrkE -----END PGP SIGNATURE-----
Current thread:
- Re: upstream source code authenticity checking, (continued)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Stuart Henderson (Apr 22)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Allan McRae (Apr 24)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 29)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 30)
- Re: upstream source code authenticity checking Robbie MacKay (May 01)
- Re: upstream source code authenticity checking Alistair Crooks (May 02)
- OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Daniel Kahn Gillmor (May 02)
- Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Simon McVittie (May 02)
- Re: upstream source code authenticity checking Kurt Seifried (May 02)