While I agree that a programmer does not NEED to know how to design the full system I do not really agree that a system architect does not have to know all the nitty gritty. Yes in a pure since it isn't necessary to know the details but in practice I do not think it is possible to design a robust, scaleable system with out a solid understanding on the nitty gritty, as that knowledge is usually one of the driving elements in architectural decisions.... this comment cut short by the need to do real work... sigh
I have always liked the elegant simplicity and clean lines of my palm 515 especially in its hard case... it may not be the most feature rich or powerful device but it gets the important stuff done and IMHO is still the best looking package out there.
Ok, the original post was not talking about signing the source just taking a hash of it... but it is a simple thing to go the extra step and sign it as well. Once the code or even a tar is signed it isn't even necessary to get the code from multiple sources (as long as the key is trusted).
For those of you that need a quick refresher in public key signing in a nutshell it goes as follows:
I create a public key/private key pair and distribute my public key, usually via a key server. I can then use my private key to sign a document, my public key can then be used to verify that 1) I am the person that signed the document and 2) that the document has not been modified since I signed it.
If you REALLY want to trust the open source code you run... don't use it unless you have a trusted public key for the distributor and the code passes a sig check.
Slashdot Mirror
While I agree that a programmer does not NEED to know how to design the full system I do not really agree that a system architect does not have to know all the nitty gritty. Yes in a pure since it isn't necessary to know the details but in practice I do not think it is possible to design a robust, scaleable system with out a solid understanding on the nitty gritty, as that knowledge is usually one of the driving elements in architectural decisions. ... this comment cut short by the need to do real work... sigh
I have always liked the elegant simplicity and clean lines of my palm 515 especially in its hard case... it may not be the most feature rich or powerful device but it gets the important stuff done and IMHO is still the best looking package out there.
Ok, the original post was not talking about signing the source just taking a hash of it... but it is a simple thing to go the extra step and sign it as well. Once the code or even a tar is signed it isn't even necessary to get the code from multiple sources (as long as the key is trusted). For those of you that need a quick refresher in public key signing in a nutshell it goes as follows: I create a public key/private key pair and distribute my public key, usually via a key server. I can then use my private key to sign a document, my public key can then be used to verify that 1) I am the person that signed the document and 2) that the document has not been modified since I signed it. If you REALLY want to trust the open source code you run... don't use it unless you have a trusted public key for the distributor and the code passes a sig check.