Hi!
Due to recent events, I wonder whether we should sign our downloads with PGP. As it is now, we're somewhat safe against manipulations of the Github downloads, since the SHA-256 hashes are hosted on cmsimple-xh.org, so an attacker would need to get access to our website also. Nonetheless, offering additional detached PGP signatures would add another level of safety, since these are basically hashes which are bound to a certain identity. See http://www.cryptnet.net/fdp/crypto/strong_distro.html for further details.
Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.
PGP sign our downloads?
PGP sign our downloads?
Christoph M. Becker – Plugins for CMSimple_XH
Re: PGP sign our downloads?
This will probably be the same with the SHA-256 hashes. Unfortunately, such possibilities are hardly used. I'm not gutting myself.
But I don't know what we could do to animate the users to use these things.
Gruß Olaf, Plugins for CMSimple_XH
Ich habe schon lange den Verdacht, dass so viele so eifrig auf Gender, Trans und Queer machen:
Weil sie für das Fachliche ganz einfach zu doof sind.
Ich habe schon lange den Verdacht, dass so viele so eifrig auf Gender, Trans und Queer machen:
Weil sie für das Fachliche ganz einfach zu doof sind.
Re: PGP sign our downloads?
Besides actually shipping malware with wrong hashes/signatures (what hopefully never happens!) – not much. At least already showing and using best practices may help a bit to push these forward. After all, it is not hard to check hashes/signatures, if one has appropriate software installed and is accustomed to its usage. The problem is rather that few users have such software, and that many OSS projects don't even offer hashes/signatures. So let's set a good example!
Christoph M. Becker – Plugins for CMSimple_XH