On 07/06/10 17:34, Keir Fraser wrote:
> On 06/07/2010 16:27, "Joanna Rutkowska" <joanna@xxxxxxxxxxxxxxxxxxxxxx>
> wrote:
>
>>>> But you use plaintext connection, which, in security, means random code.
>>>> I think we have already went through this last time when discussing the
>>>> signing process for Xen ;)
>>>
>>> Okay, then make a patch, including hashes for our current collection of
>>> downloads.
>>
>> I'm not a Xen developer. I do not sign your tarballs...
>
> Perhaps best then to sign the tarballs we have on xenbits, and verify the
> signatures when we download tarballs. Ian Jackson might pick that up as a
> work item.
>
For me (=user) that would be just fine, but I think *for you* (=vendor)
it might be better to just generate a list of hashes via md5sum and
include this file (say 'sources') in your tarball, and get your
Makefiles just do md5sum -c sources after it downloads them.
The difference is subtle, but I think you show this way that these are
external components, originally not signed, not created by you (but only
somehow verified, hence the hash). If you sign something with your key,
it suggests you have somehow generated it yourself. I know it's subtle.
joanna.
signature.asc
Description: OpenPGP digital signature
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|