warning to list
Alan Cox
alan at redhat.com
Tue Oct 26 13:24:46 UTC 2004
On Mon, Oct 25, 2004 at 11:53:17PM -0500, Gregory G Carter wrote:
> They still crack Windows with perfectly signed packages from Microsoft.
> I do not see signatures as such a big deal, therefore as they have not
> really impacted code security of Microsoft products.
They've impacted it greatly in terms of things like windows updater. The mess
would have been even worse without it.
> In FACT, I do not see how signing binaries helps really in dealing with
> secure code for end users.
As an admin you set various directories as "only rpm/up2date" can install,
or even set "nothing is executable unless rpm/up2date installed it" type
policies in SELinux and turn on signature checking.
That makes the keys valuable for the policy side of enforcement. The tools
to do this exist now.
> Signed by Microsoft and of course, Doesn't Mean Jack. The best a
> signed package can do is tell you where it is from. But, it doesn't
> make your code any less crackable or any more secure.
No argument there.
Alan
More information about the fedora-test-list
mailing list