[Squeakfoundation]Squeak downloads
John M McIntosh
johnmci at smalltalkconsulting.com
Thu Jun 19 21:30:47 CEST 2003
Ya, for some time now I've been PGP signing the macintosh VMs (classic
& os-x). However I'ven not been doing that for
the plugins (yet...). I can't say anyone has ever check this
information, and we don't have anyway for joe novice to check. Some
packaging systems do check md5 checksums and/or signatures and do
complain which I believe caught some Trojans in the past.
Certainly having something that would tell you the files have been
altered, would either point out a Trojan, or more likely that you've
corrupted things in the download, which always seems a sore point for
joe novice user. Can say how we do this tho.
On Thursday, June 19, 2003, at 02:23 PM, Stephen Pair wrote:
> Looks good to me...however, I doubt I would trust it being on a Swiki
> (for the security reasons previously discussed). Here are some ideas
> for how to mitigate that issue:
>
> - add submissions/approval capability to Swiki
> - keep the download page on a regular web server and use WebDav to
> give publishing authorization to VM publishers
> - strongly recommend that VM publishers also cryptographically sign
> their download files (and write some instructions and exactly how to
> do this so that everyone follows the same procedure...and ensure that
> those procedures are good ones)
--
========================================================================
===
John M. McIntosh <johnmci at smalltalkconsulting.com> 1-800-477-2659
Corporate Smalltalk Consulting Ltd. http://www.smalltalkconsulting.com
========================================================================
===
More information about the Squeakfoundation
mailing list