[haiku-development] Re: Design for signed packages

• From: Urias McCullough <umccullough@xxxxxxxxx>
• To: haiku-development@xxxxxxxxxxxxx
• Date: Fri, 28 Mar 2014 13:41:00 -0700

On Fri, Mar 28, 2014 at 1:25 PM, Jonathan Schleifer
<js-haiku-development@xxxxxxxxxxx> wrote:
> Well, I didn't want to stop after signed packages. But that was what I deemed 
> the most necessary step, as every developer downloads unsigned packages 
> during the build process and then later uploads packages. So all that's 
> needed to plant a backdoor in Haiku is controlling the internet connection of 
> a single developer once.

I don't understand how that's significantly different from simply
maintaining hashes of all the binaries in our source control and
verifying them during download. There's really no need to sign them
assuming we trust devs who have commit access already.

If, on the other hand, we believe there are individuals out there who
are impersonating already-trusted devs and using their access to
upload packages and commit changes to our Git repo, then I guess
signing packages might be worthwhile.

- Urias

• Follow-Ups:
  • [haiku-development] Re: Design for signed packages
    • From: Julian Harnath

• References:
  • [haiku-development] Re: Design for signed packages
    • From: Ingo Weinhold
  • [haiku-development] Re: Design for signed packages
    • From: Rene Gollent
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Ingo Weinhold
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Urias McCullough
  • [haiku-development] Re: Design for signed packages
    • From: waddlesplash
  • [haiku-development] Re: Design for signed packages
    • From: SMC.Collins
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Stephan Aßmus
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Fredrik Holmqvist
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Fredrik Holmqvist
  • [haiku-development] Re: Design for signed packages
    • From: waddlesplash
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Stephan Aßmus
  • [haiku-development] Re: Design for signed packages
    • From: Matthew Getch
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer
  • [haiku-development] Re: Design for signed packages
    • From: Ari Haviv
  • [haiku-development] Re: Design for signed packages
    • From: Jonathan Schleifer

Other related posts:

• » [haiku-development] Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Axel Dörfler
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Axel Dörfler
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Stephan Aßmus
• » [haiku-development] Re: Design for signed packages- Axel Dörfler
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Rene Gollent
• » [haiku-development] Re: Design for signed packages- François Revol
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Urias McCullough
• » [haiku-development] Re: Design for signed packages- Rene Gollent
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Julian Harnath
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Ingo Weinhold
• » [haiku-development] Re: Design for signed packages- waddlesplash
• » [haiku-development] Re: Design for signed packages- SMC.Collins
• » [haiku-development] Re: Design for signed packages- Jonathan Schleifer
• » [haiku-development] Re: Design for signed packages- Fredrik Holmqvist
• » [haiku-development] Re: Design for signed packages- SMC.Collins

1. Home
2. haiku-development
3. Archive
4. 03-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---