Thomas Delrue on 1 Jun 2015 10:40:00 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SourceForge has Malware?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/01/2015 01:02 PM, Rich Freeman wrote:
> I think the bottom line is that all the content hashing makes it 
> fairly difficult to tamper with sources stored in git.

First of, thank you for telling me it exists in git, I didn't know that
yet (and now I do) :)

I'm not so much worried about tampering with the stored sources because
the content hash does indeed guarantee lineage of the source. That's
really what these are for.

But content hashing is not the same as signing.

Crypto-signing is 'vouching' for something saying "yes, I as a trusted
dev put my name under this piece of work and guarantee that it is
'good'. I have looked at what we are releasing and everything that went
into the code since the last release and everything in it is part of the
intended functionality".
Now this doesn't mean the dev becomes liable for bugs, it just functions
more as the dev signing off on it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVbJjnAAoJEKosl9oIs/pOP1kP/1VJrMkfR3xiq6tFpPqDLjz4
sNnFchvR8PSo/L4tk1WGD8S+DPQID5ITNYLqGPPGVwtVRA+rWtq2hS9OV0Lc0C8U
k8QqCw8pQGMGQ7c52Ln7/a1blT3JnkvXQotF/N/gH0KT41w5EIeAezqXAVECbNx2
WDAtifv3YspAUpT/wD393eB44yY/wsMLo75rb9MxCmDfVStz1rlnyTZh9/wJgo3j
FjG+to3dk9QEVOM2q1w1mhuncrk7l0piHTpPLhz1HDAVe/t8HdFChfc362rnIksD
CwE4odcRw11ORK8x9+60UcSZvNFWRx8BVBtOrnefwzzud9WJnQYm6NZgN0+i2T80
mM3X176KwQlIJeFBa1mKsXsxLHaA9SVFhUsNNlctIwlVKaazDjL6ux+apVApYI0S
5alaxUoGg+ewxKc6QXJyhmtOq89XZi4lDpMnwOWdBdpzj3RIZtHtdlBULNBDcy0e
3WCmtqp0rTFuzzmXmvHO+7fDL0taexAbzpJP+u9xFkm5ZHANwE9Pilhx99G8VRCL
cvekpT+MtUV6V25Ni2WNG/Qp6oY5qErGpqOVipYYI5b7p/mhUxWOPTVWfj5jeGE1
e7RMUA3ZLTe/EfDCXTyng/783R2CixQmnmAUmpVdWca8s4BgO8ivqpXgF+9dUJ3C
gp4rAU5ttCNpVZ8U+Naf
=/YGQ
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug