Slashdot Mirror

← Back to Stories (view on slashdot.org)

Check Who Signed Off On Your Software

Posted by timothy on Thursday January 29, 2004 @08:44PM from the autographs-for-accountability dept.

An anonymous reader submits "The Software Sig Page encourages software maintainers to publish verifiable signatures for released software and to build the web of trust among software maintainers and software users. If you're afraid of downloading a trojaned OpenSSH, being 0wned while capturing packets, compiling an MTA as well as a backdoor on your system, not being able to trust tools you use every day, or never having a chance from the moment your OS boots, then you want some level of assurance that the software you use is everything the mainatainers expected you to have and no more. Look and check the MD5 and PGP signatures that come with software you download."

2 of 25 comments (clear)

Min score:

Reason:

Sort:

This seems like an issue for OSS by ObviousGuy · 2004-01-29 20:53 · Score: 3, Interesting

If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.

If you're downloading god-knows-what from the Internet, you're taking a big chance, and this latest idea is probably pretty good for those people.

--
I have been pwned because my /. password was too easy to guess.
1. Re:This seems like an issue for OSS by Just+Some+Guy · 2004-01-30 06:56 · Score: 4, Interesting
  
  If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.
  That's right. Because no software houses suffer from hacked networks. Because all sub-contractors are trustworthy. Because the source used to generate a CD is inherently more secure than a source used to generate a downloadable file.
  Do you know that Microsoft is the only party that ever touches their data before it gets pressed and shipped? If you thought so, you're wrong.
  
  --
  Dewey, what part of this looks like authorities should be involved?