[WineHQ] service.cgi fixes

Dimitrie O. Paun dpaun at rogers.com
Fri Jun 11 16:16:39 CDT 2004


On Fri, Jun 11, 2004 at 02:49:21PM +0100, Paul Millar wrote:
> Why remove the verification of the code's gpg signature?  It seems to 
> break a basic security maxim: don't trust the network.

Because the current implementation is b0rken, and it just gives us a
false sense of security. If we can't trust the network:
  -- why do we trust the script to tell us to do the verification?!?
     If anything, we would have to automatically always do the
     verification, not have a command for it. So a command of
	download url.foo
     should implicitily generate a
	download url.foo.sig
	gpgverify url.foo.sig

  -- also, why do we trust the script at all? We should also always
     sign and verify every time the script. But this will make it
     rather inconvenient to work with... Oh well, we'll do it if we
     must. But we have to be careful to NOT accept downloads signed
     my WineHQ (the sig used to sign the script), because if WineHQ
     is hacked, all bets are off. In other words, we should trust
     only human signatures for file download. I'm not sure how easily
     all this can be implemented in winrash.

In any event, those two lines in the script that I've removed are
not the answer. For now I guess we can trust the network.


-- 
Dimi.



More information about the wine-devel mailing list