From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Subject: Re: Xen signing and wget
Date: Tue, 06 Jul 2010 17:42:11 +0200
Message-ID: <4C334ED3.2060108@invisiblethingslab.com>
References: <C8590BA9.198A1%keir.fraser@eu.citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0084672835=="
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <C8590BA9.198A1%keir.fraser@eu.citrix.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Keir Fraser <keir.fraser@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>, Ian Jackson <Ian.Jackson@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0084672835==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigA453AEA1AA306F6DD4731CF6"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA453AEA1AA306F6DD4731CF6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 07/06/10 17:34, Keir Fraser wrote:
> On 06/07/2010 16:27, "Joanna Rutkowska" <joanna@invisiblethingslab.com>=

> wrote:
>=20
>>>> But you use plaintext connection, which, in security, means random c=
ode.
>>>> I think we have already went through this last time when discussing =
the
>>>> signing process for Xen ;)
>>>
>>> Okay, then make a patch, including hashes for our current collection =
of
>>> downloads.
>>
>> I'm not a Xen developer. I do not sign your tarballs...
>=20
> Perhaps best then to sign the tarballs we have on xenbits, and verify t=
he
> signatures when we download tarballs. Ian Jackson might pick that up as=
 a
> work item.
>=20

For me (=3Duser) that would be just fine, but I think *for you* (=3Dvendo=
r)
it might be better to just generate a list of hashes via md5sum and
include this file (say 'sources') in your tarball, and get your
Makefiles just do md5sum -c sources after it downloads them.

The difference is subtle, but I think you show this way that these are
external components, originally not signed, not created by you (but only
somehow verified, hence the hash). If you sign something with your key,
it suggests you have somehow generated it yourself. I know it's subtle.

joanna.


--------------enigA453AEA1AA306F6DD4731CF6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwzTtMACgkQORdkotfEW85cEACeLcu2RcAejhDZo+V2qXNCfZE2
DwwAnAhT9Dkde8vUt5fTvexBFnVWFRTp
=rtxy
-----END PGP SIGNATURE-----

--------------enigA453AEA1AA306F6DD4731CF6--


--===============0084672835==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--===============0084672835==--