Re: [PLUG] SourceForge has Malware?

Thomas Delrue on 1 Jun 2015 10:40:00 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SourceForge has Malware?

From: Thomas Delrue <delrue.thomas@gmail.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] SourceForge has Malware?
Date: Mon, 01 Jun 2015 13:39:51 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=U7hEMKvyc7dxYJvm1TGMqAl/5qLDyV1Zl+nPJSx6Woo=; b=TFT5Tc55mxR9cTZ0vwTFDRvXEL1RVn6gi4tGZVIvBwW4e3wnQyuS5i4d4WXA2M1siV 2LJdVxHCUOPhRftZKNbDCwxxn9O4SvqDf3sUNxkSeptOHOtMq4f1qXroqSE6vJWYSmqg kIWYlhqrhNd3OKhuAa3Ndlf8cs75u9Ghs4p03g3TdrJsKJSyoIQ1zg9mbbnCBUE92AOM mWczSAM1uf4+bSnOvzvWjV8FySPFuIOyv8XdlQQJdI8OuCbuPOQFrTwWjp2t/Zv/dZ2/ nCISPkF2NH3jakn6kdxVM4ORLgx8mMhV0RGsFcNsTYJhOo4s4bbG9Y5g167x4rvhmbpD GQ3g==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/01/2015 01:02 PM, Rich Freeman wrote:
> I think the bottom line is that all the content hashing makes it 
> fairly difficult to tamper with sources stored in git.

First of, thank you for telling me it exists in git, I didn't know that
yet (and now I do) :)

I'm not so much worried about tampering with the stored sources because
the content hash does indeed guarantee lineage of the source. That's
really what these are for.

But content hashing is not the same as signing.

Crypto-signing is 'vouching' for something saying "yes, I as a trusted
dev put my name under this piece of work and guarantee that it is
'good'. I have looked at what we are releasing and everything that went
into the code since the last release and everything in it is part of the
intended functionality".
Now this doesn't mean the dev becomes liable for bugs, it just functions
more as the dev signing off on it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVbJjnAAoJEKosl9oIs/pOP1kP/1VJrMkfR3xiq6tFpPqDLjz4
sNnFchvR8PSo/L4tk1WGD8S+DPQID5ITNYLqGPPGVwtVRA+rWtq2hS9OV0Lc0C8U
k8QqCw8pQGMGQ7c52Ln7/a1blT3JnkvXQotF/N/gH0KT41w5EIeAezqXAVECbNx2
WDAtifv3YspAUpT/wD393eB44yY/wsMLo75rb9MxCmDfVStz1rlnyTZh9/wJgo3j
FjG+to3dk9QEVOM2q1w1mhuncrk7l0piHTpPLhz1HDAVe/t8HdFChfc362rnIksD
CwE4odcRw11ORK8x9+60UcSZvNFWRx8BVBtOrnefwzzud9WJnQYm6NZgN0+i2T80
mM3X176KwQlIJeFBa1mKsXsxLHaA9SVFhUsNNlctIwlVKaazDjL6ux+apVApYI0S
5alaxUoGg+ewxKc6QXJyhmtOq89XZi4lDpMnwOWdBdpzj3RIZtHtdlBULNBDcy0e
3WCmtqp0rTFuzzmXmvHO+7fDL0taexAbzpJP+u9xFkm5ZHANwE9Pilhx99G8VRCL
cvekpT+MtUV6V25Ni2WNG/Qp6oY5qErGpqOVipYYI5b7p/mhUxWOPTVWfj5jeGE1
e7RMUA3ZLTe/EfDCXTyng/783R2CixQmnmAUmpVdWca8s4BgO8ivqpXgF+9dUJ3C
gp4rAU5ttCNpVZ8U+Naf
=/YGQ
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SourceForge has Malware?
  - From: Rich Freeman <r-plug@thefreemanclan.net>

References:
- Re: [PLUG] SourceForge has Malware?
  - From: "Keith C. Perry" <kperry@daotechnologies.com>
- Re: [PLUG] SourceForge has Malware?
  - From: Thomas Delrue <delrue.thomas@gmail.com>
- Re: [PLUG] SourceForge has Malware?
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] KEYSIGNING PARTY (was: SourceForge has Malware?)
Next by Date: Re: [PLUG] KEYSIGNING PARTY (was: SourceForge has Malware?)
Previous by thread: Re: [PLUG] SourceForge has Malware?
Next by thread: Re: [PLUG] SourceForge has Malware?
Index(es):
- Date
- Thread