Slashdot Mirror

← Back to Stories (view on slashdot.org)

Check Who Signed Off On Your Software

Posted by timothy on from the autographs-for-accountability dept.

An anonymous reader submits "The Software Sig Page encourages software maintainers to publish verifiable signatures for released software and to build the web of trust among software maintainers and software users. If you're afraid of downloading a trojaned OpenSSH, being 0wned while capturing packets, compiling an MTA as well as a backdoor on your system, not being able to trust tools you use every day, or never having a chance from the moment your OS boots, then you want some level of assurance that the software you use is everything the mainatainers expected you to have and no more. Look and check the MD5 and PGP signatures that come with software you download."

5 of 25 comments (clear)

  1. Good for a small market by Mork29 · · Score: 4, Insightful

    Lets face it, the average user doesn't know what an MD5 checksum or PGP even are. It's a sad thing, because most security tools are easy to use, and would make the internet a safer place, but the fact of the matter is that you still have people opening up e-mail viruses that are an attachment with a notepad icon. Although if you know how you should, we need to find a safe delivery system that's a bit easier for the average joe, who seems to enjoy living on the edge, downloading lots of shareware, and clicking on every e-mail attachment they get.

  2. Nope.. by fforw · · Score: 3, Insightful
    If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.

    Who tells you that no one compromised the data before it was put on the CD?
    How can you be sure that the software companies compilers aren't compromised? (see Reflections on trusting Trust)

    Even if the software you bought isn't compromised by any third party - can you trust the software company ?

    --
    while (!asleep()) sheep++
  3. It's not the trojans that worry me by Tom7 · · Score: 3, Insightful

    In truth, I'm more afraid of accidental errors made by developers with good intentions (as have shown up in just about every security-critical C program I've ever used) than trojans slipped in my miscreants. Sadly, digital signatures and hashes can do nothing to help me here...

  4. The web of trust by looseBits · · Score: 3, Insightful

    If my PGP key has a hundred signatures, that doesn't make me a nice guy and it doesn't mean that I don't write software with Comet Cursor like features. All it means is that I am who I say I am. If Osama bin Laden or John Ashcroft came into my house and asked me to sign their key, I would but that doesn't mean I would trust software written by either of them.

    --
    Lord, bless my users that they may stop being such fucking idiots!!
  5. Re:This seems like an issue for OSS by Anonymous Coward · · Score: 1, Insightful

    Didn't stop MS from including a virus on an MSDN CD a while back...