[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: warning to list

From: Alan Cox <alan redhat com>
To: For testers of Fedora Core development releases <fedora-test-list redhat com>
Subject: Re: warning to list
Date: Tue, 26 Oct 2004 09:24:46 -0400

On Mon, Oct 25, 2004 at 11:53:17PM -0500, Gregory G Carter wrote:
> They still crack Windows with perfectly signed packages from Microsoft.  
> I do not see signatures as such a big deal, therefore as they have not 
> really impacted code security of Microsoft products. 

They've impacted it greatly in terms of things like windows updater. The mess
would have been even worse without it.

> In FACT, I do not see how signing binaries helps really in dealing with 
> secure code for end users.

As an admin you set various directories as "only rpm/up2date" can install,
or even set "nothing is executable unless rpm/up2date installed it" type
policies in SELinux and turn on signature checking.

That makes the keys valuable for the policy side of enforcement. The tools
to do this exist now.

> Signed by Microsoft and of course, Doesn't Mean Jack.   The best a 
> signed package can do is tell you where it is from.  But, it doesn't 
> make your code any less crackable or any more secure.

No argument there.

Alan

References:
- Re: warning to list
  - From: Matias Féliciano
- Re: warning to list
  - From: Paul Iadonisi
- Re: warning to list
  - From: Matias Féliciano
- Re: warning to list
  - From: Paul Iadonisi
- Re: warning to list
  - From: Matias Féliciano
- Re: warning to list
  - From: Paul Iadonisi
- Re: warning to list
  - From: Matias Féliciano
- Re: warning to list
  - From: Ricardo Veguilla
- Re: warning to list
  - From: Rodolfo J. Paiz
- Re: warning to list
  - From: Gregory G Carter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]