 Home |
Products |
Support |
Community |
News |
xen-devel
Re: [Xen-devel] Xen signing and wget
| To: | Keir Fraser <keir.fraser@xxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [Xen-devel] Xen signing and wget |
| From: | Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx> |
| Date: | Tue, 06 Jul 2010 17:42:11 +0200 |
| Cc: | "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> |
| Delivery-date: | Tue, 06 Jul 2010 08:42:26 -0700 |
| Dkim-signature: | v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:date:from:mime-version:to:cc:subject:references:in-reply-to:content-type; s=smtpout; bh=l7DLAEN0WNHuzjj1P85hvWzfEu0=; b=TtEHxKnnOcIs+jgeZr4+U/55LOnMSfCulAmhkdV7TLqYwbNmkNw1vsO+3Vu4E8xUHO43tDm55q5DGCgIO7kgawfh9MiR8xgIs4lQD58M8hsz6psLQxBXclupvaPie2640UzrN+svbid4Y776YgZt+iA51ddI4vDYYjSJktlyFI8= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <C8590BA9.198A1%keir.fraser@xxxxxxxxxxxxx> |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| References: | <C8590BA9.198A1%keir.fraser@xxxxxxxxxxxxx> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100621 Fedora/3.0.5-1.fc13 Lightning/1.0b2pre Thunderbird/3.0.5 |
On 07/06/10 17:34, Keir Fraser wrote: > On 06/07/2010 16:27, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx> > wrote: > >>>> But you use plaintext connection, which, in security, means random code. >>>> I think we have already went through this last time when discussing the >>>> signing process for Xen ;) >>> >>> Okay, then make a patch, including hashes for our current collection of >>> downloads. >> >> I'm not a Xen developer. I do not sign your tarballs... > > Perhaps best then to sign the tarballs we have on xenbits, and verify the > signatures when we download tarballs. Ian Jackson might pick that up as a > work item. > For me (=user) that would be just fine, but I think *for you* (=vendor) it might be better to just generate a list of hashes via md5sum and include this file (say 'sources') in your tarball, and get your Makefiles just do md5sum -c sources after it downloads them. The difference is subtle, but I think you show this way that these are external components, originally not signed, not created by you (but only somehow verified, hence the hash). If you sign something with your key, it suggests you have somehow generated it yourself. I know it's subtle. joanna.
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [Xen-devel] Re: [Bug 1612] Can't start VM when vif set and udev version is greater than 151, Jan Beulich |
|---|---|
| Next by Date: | [Xen-devel] Re: [PATCH] rombios: move the stack to 0x9e000 and protect it with an e820 entry, Tim Deegan |
| Previous by Thread: | Re: [Xen-devel] Xen signing and wget, Keir Fraser |
| Next by Thread: | Re: [Xen-devel] Xen signing and wget [and 3 more messages], Ian Jackson |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
