[WineHQ] service.cgi fixes
Dimitrie O. Paun
dpaun at rogers.com
Fri Jun 11 16:16:39 CDT 2004
On Fri, Jun 11, 2004 at 02:49:21PM +0100, Paul Millar wrote:
> Why remove the verification of the code's gpg signature? It seems to
> break a basic security maxim: don't trust the network.
Because the current implementation is b0rken, and it just gives us a
false sense of security. If we can't trust the network:
-- why do we trust the script to tell us to do the verification?!?
If anything, we would have to automatically always do the
verification, not have a command for it. So a command of
download url.foo
should implicitily generate a
download url.foo.sig
gpgverify url.foo.sig
-- also, why do we trust the script at all? We should also always
sign and verify every time the script. But this will make it
rather inconvenient to work with... Oh well, we'll do it if we
must. But we have to be careful to NOT accept downloads signed
my WineHQ (the sig used to sign the script), because if WineHQ
is hacked, all bets are off. In other words, we should trust
only human signatures for file download. I'm not sure how easily
all this can be implemented in winrash.
In any event, those two lines in the script that I've removed are
not the answer. For now I guess we can trust the network.
--
Dimi.
More information about the wine-devel
mailing list