Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Apr 2013 08:55:00 -0400 (EDT)
From: Josh Bressers <>
Subject: Re: upstream source code authenticity checking

> So, all in all, what you have is a digest, signed by someone who knows
> the key, or who has access to the creds (if any) for the key, or who
> has found out the key creds, albeit with timestamp info for when the
> signature took place.
> I'm not sure what using PGP gains us?

I'm going to take a hard stance against this statement and use it as my
soapbox for a bit here.

This attitude is really dangerous in the world of security (but it has
infected our universe). Security is hard, we all know that, but I think we
like to draw a line at 100% and say "it's this or nothing". No, PGP isn't
perfect, but it gains us a ton. It's a way we can say "this was signed by
someone with the key". Did the bad guy have they key? Maybe, the goal isn't
to get to 100%, it's to make the job of an attacker harder, which this
would do.

There is no system that exists in this instance that is 100% safe. What we
need to do isn't talk about how useless PGP is (which it isn't), we need to
talk about what's right about it and give advice so people understand how
to avoid silly mistakes.

A great example is to use a smart card. If a project is using a smart card,
and tells us they're using a smart card, that would be helpful in letting
us know their signatures are probably trustworthy. We would certainly know
their signatures are more trustworthy than a project who uses a private key
shared between 10 people. Is the smart card a perfect solution? Certainly
not, but it's better than not using a smart card. How many non security
people really understand this? How many of us have tried to explain it in a
calm and understanding manner?

This is Red Hat's goal here. We want to help folks understand what some
easy wins are. Security is hard, it will never be 100%. I'd rather see us
all working together to improve what we can.

Josh Bressers / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.