Date: Fri, 26 Apr 2013 10:25:04 +0200 From: Dag-Erling Smørgrav <des@....no> To: oss-security@...ts.openwall.com Cc: kseifried@...hat.com, Alistair Crooks <agc@...src.org>, Josh Bressers <bressers@...hat.com> Subject: Re: upstream source code authenticity checking Kurt Seifried <kseifried@...hat.com> writes: > This makes no sense. So you don't trust their signature because they > have to "earn trust", but you do trust their software and you compile > and run it? That's literally insane. This is exactly the logic used by web browsers to justify scaring users away from https sites that haven't payed the Verisign tax... DES -- Dag-Erling Smørgrav - des@....no
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.