-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/23/2014 9:46 AM, Stephen R Guglielmo wrote: >> We now have Windows .exe files signed into the git repo. We >> should use them to verify newer versions of these exe files >> rather than assuming they are golden and error-free. If these >> executables are hacked, it could be a disaster. If they are out >> of date and have unpatched buffer overflow bugs, they could be >> exploited. However, I think it is a good idea to have these >> executables in git. When we do releases, I think we should use >> the latest versions of these executables from our favorite >> sources (preferably sources that are not disclosed), and verify >> that we get the same result as using the signed in versions. > > Hm? I don't think there's any .exe files committed to git right > now? The GnuWin32 directory has dd.exe and gzip.exe. The nasm-2.08 directory has nasm.exe. All three were added in your commit b5adb3ed5787eeb767e51200a857f5e104bb2983. If I wanted to sneak in a back-door this early in the project, hacking these files would be high on my list! However, it is more likely that we will run into hacked executables going forward, so comparing results to the old executables may make sense. Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJTqDPbAAoJEL9an3rWhBk+io4QAKoALd2o/uXTNVneGy4i3+rY CQ2IZGwDK5HzgV6frtDnQK9xjjesBXrOQ+We7jXXFtH2LNZtL6ok02B94WE7xHhi RJs1dy6YFzOwDlkLbp+e5v5tQIRrUQoENgrsRdGKhJCllSgf0rqGrh0h7qowVtdc 7S19w/q4cA8bY1RhpZG08TWu8KZduuK3d9XRTl8FPAlMCA1S/+5C697uJsswUmg9 NE7TGDQNyvurjn1dHfba/M2MooCeDlAatfH6XjM9DnUaklIKd45F8npYPhDy3v+O GmGE6mtVgfCE/gMWQLoD7kuZMPwZA5Gz4Fx9G6VedDIypVa06eHAYj0qoyOxyxGa Ap5M7x9kUzAK9NvB5UEgZJMp0s/X+4VbOWPkP2YhVB2yZiaWQCEGHtjaXtXH8lWW blWMWY+QSyJu1/rHRPOGkYz7ZVx7B7MgaqHee2BqC03nnFVP5ebjA9eptkhwin7R QvCOmoti0V0UX2kGXsPC8jYYZByPpVCa6F/O3ibqnk0v4xMRhBnmlLDe5/Y3Wh/x r/TH+8bs/rGgdADs0Ips5xQ8liottjE/HN4rNmbHhg46lpbYUv95onTRMGnKAm4f Uc2AwZwJMAgOaUSiwVB3TxGZ0Im1NvciPqtP6NdJPq5syFKYNOEkmpozrh2FV8S5 bn6pAJeVtNzvcDMzAoll =8hR3 -----END PGP SIGNATURE-----