Re: PGP signing releases

On Mon, Feb 03, 2003 at 22:55:12 -0600,
Greg Copeland <greg(at)CopelandConsulting(dot)Net> wrote:
>
> I'll say this again. Checksums alone offers zero security protection.
> It was never intended to address that purpose. As such, it does not
> address it. If you need security, use a security product. Checksums
> ONLY purpose is to ensure copy propagation validation. It does not
> address certification of authenticity in any shape or form.

Checksums can be used for security in that they can be transmitted through
alternative channels using lower bandwidth than that used for the raw data.
(They are also what is normally signed by asymmetric keys for performance
reasons.).

And note that even signing the releases only protects against some kinds
of problems. If someone breaks into the CVS server shortly before a release,
they could change the source code and have a reasonable chance that the change
would go unnoticed for long enough to make it into a release. There are also
circumstances that the developers might be compromised (at least from the
standpoint of the downloaders). I wouldn't be that surprised if under pressure
from the FBI the developers might cooperate in getting a trojaned copy of
the database server into the hands of someone the FBI was interested in.
(Ogranized crime really should be supporting open source since they really
need software they can trust and it is a lot easier to check for trojaned
source, than it is for trojaned binaries.) Large amounts of money could also
produce the same result. I don't think either of those scenarios is likely,
but they are possible.

Signing the releases is a good idea, but they aren't going to be a 100%
guarenty against trojans.