Jack Jansen said: > > On 9-okt-03, at 0:06, Eric Nieuwland wrote: >> First there the maintainer of the PackMan database needs to be assured >> that the source can be trusted. As there can be many sources, this is >> a hard problem and ultimately would require a full-blown PKI. Now I >> can hardly imagine anyone would like to set-up a PKI just for fun. PGP >> probably is the way to go here. > > I don't think so: I think MD5 is good enough here. The scapegoat > downloaded a specific source distribution and built it without > problems. S/he gets the md5 sum of that distribution, puts the URL and > md5sum in the database and can be sure that whatever the end user > downloads is correct. OK. I assumed that the scapegoat would like to know for sure where the code came from. Otherwise, s/he has to either trust the source and thus the developer or review and test every package. >> Then there is the end-user who has to be convinced s/he can trust the >> PackMan database and the packages obtained through it. The discussion >> on MD5/SHA-1 and SSL seem to cover that fine. > > And now that I know there is SSL support in MacPython (which very > pleasantly surprised me!!) > I think we can solve everything except for name server spoofing (by > having a wellknown > secure-http URL in the distribution, that we use to check MD5 sums). Now if we could use a fixed IP-address for the next ten years or so, then we could by-pass the name server and avoid the spoofing issue.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4