[1212] in linux-announce channel archive
PROPOSAL: Sign Your Soft
daemon@ATHENA.MIT.EDU (Lars Wirzenius)
Sun Oct 29 06:26:45 1995
Date: Tue, 24 Oct 1995 20:39:45 +0200
From: Lars Wirzenius <wirzeniu@cc.helsinki.fi>
To: linux-announce@vger.rutgers.edu
Reply-To: linux-announce-owner@vger.rutgers.edu
From: "Ralf W. Stephan" <ralf@ark.franken.de>
Subject: PROPOSAL: Sign Your Soft
Approved: linux-announce@news.ornl.gov (Lars Wirzenius)
Newsgroups: comp.os.linux.announce
Organization: ?
Followup-to: comp.os.linux.development.apps
-----BEGIN PGP SIGNED MESSAGE-----
[ Moderator's note: This is a bit on the edge of what is acceptable for
c.o.l.announce, but I'm posting it because I find the issue important.
--liw ]
- -----BEGIN PGP SIGNED MESSAGE-----
A frequent subject discussed under people that use Linux is the
security of the software they get for their systems. As the danger
of catching a virus is almost nil, the possibility of trojan horses
is still there. Of course the team work between maintainers of the
archive sites and the developers is a big hindrance for anyone trying
to fake a package, and in fact, until now there is no case known of
a package deliberately hacked. This is good. It could be even better.
With the upcoming of advanced crypto methods it is possible to
authenticate any information that is available digitally. Lars
Wirzenius already signs every of his postings in c.o.l.a. This
not only creates trust in the key he uses but also proves that the
message was seen by him, thus paving the way for possible future
methods of avoiding spam.
Even more important, this scheme can easily be applied to software
packages. This is nothing new --- N*tscape posted MD5 checksums for
their soft to the net some weeks ago. I therefore propose the usage of
the following methods to authenticate software packages for Linux,
by you, the developers:
1. Use an authentication scheme whenever you announce a package
on the net. People tend to save the announcements until they
have the package itself. Sign the article itself, too.
2. Create a possibility to check authenticity of software packages
en bloc. Signatures could be embedded in the LSM entry.
Furthermore, I propose the usage of one of the following algorithms
for authentication:
A. Use checksums by one-way-hash functions. The most widely regarded
functions are MD5 and SHA. They are good.
But, with only a hash, people wouldn't be sure if the signature
is really from you. So, if you really want to be paranoid, I
mean, on the safe side, then do:
B. Sign with PGP. The command is 'pgp -sba file' and it gets you
an ASCII signature in file.asc . No one can fake that without your
secret key and your pass phrase. Append the sig to your announce.
Use PGP often, so people see that you care about security.
Addendum: It might be better to sign your tar-file, not the tar.gz.
It is possible that some archives repack with other gzip options to
spare a byte.
Thanks for your patience,
ralf
�
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.i
iQCVAgUBMIpmu/UDwEOnE+zpAQHJ+QP/YoqQSa0xJB4f9tv1iYNVRtvgCYKiCc6u
e0cLd2pBH+i0mxPlQbTEFxj+HDn9aE45eIIQHpjdgLIo0bVjB46WaML/y4oWYKYi
ADRveaayMqRxPIVetb1t91PUPulnCdN5vSdg71vt20rS4ZDSNEJCMV5De6ueLEke
L4Nu4gI7I5w=
=Ca3R
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMI0viIQRll5MupLRAQHHuwQAl3RMvVWfkXR4kjAMd3ZKVmbvXSbKFJEK
zF0SFWRc8O6g/UgiGC4lXJOjbsKuVYVspBC6rZle66M98Ua4UbjewE7hEsZ4oJnu
bmXJzVuZQ951MNF/sZ5mQHDarruE8s3f27cnYZ4VKyOfKgPDe5wlTqvf2ETjKRKn
Remd3BQVydE=
=T/00
-----END PGP SIGNATURE-----
--
This article has been digitally signed by the moderator, using PGP.
Finger wirzeniu@kruuna.helsinki.fi for PGP key needed for validating signature.
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember a short description of the software and the LOCATION.
