On Oct 8, 2003, at 18:18, Jack Jansen wrote: > > On 9-okt-03, at 0:06, Eric Nieuwland wrote: >> First there the maintainer of the PackMan database needs to be >> assured that the source can be trusted. As there can be many sources, >> this is a hard problem and ultimately would require a full-blown PKI. >> Now I can hardly imagine anyone would like to set-up a PKI just for >> fun. PGP probably is the way to go here. > > I don't think so: I think MD5 is good enough here. The scapegoat > downloaded a specific source distribution and built it without > problems. S/he gets the md5 sum of that distribution, puts the URL and > md5sum in the database and can be sure that whatever the end user > downloads is correct. > >> Then there is the end-user who has to be convinced s/he can trust the >> PackMan database and the packages obtained through it. The discussion >> on MD5/SHA-1 and SSL seem to cover that fine. > > And now that I know there is SSL support in MacPython (which very > pleasantly surprised me!!) > I think we can solve everything except for name server spoofing (by > having a wellknown > secure-http URL in the distribution, that we use to check MD5 sums). > > Since this is as good as Safari is (which doesn't complain at all > about certificates > signed by unknown parties! To my surprise it doesn't even seem to let > you find this out!!) > I think it's good enough for us. Safari sure does complain about certs signed by unknown parties, and even Mail.app does (in 10.3). From Safari: The website’s certificate was signed by an unknown certifying authority. You might be connecting to a website that is pretending to be “svn.mobwire.com” which could put your confidential information at risk. Would you like to continue anyway? I haven't found a way in Safari to look at the certs, but Mail.app lets you look at certs. -bob
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4