Re: Contrasting BSIGN and TRIPWIRE

To: Oscar Levi <elf@buici.com>
Cc: Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: Contrasting BSIGN and TRIPWIRE
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Mon, 14 Dec 1998 13:49:46 -0700 (MST)
Message-id: <[🔎] Pine.LNX.3.96.981214134432.4746F-100000@wakko>
In-reply-to: <[🔎] 19981214013717.C15760@hazel.buici.com>

On Mon, 14 Dec 1998, Oscar Levi wrote:

> I don't agree with your assessment.  Embedded signatures can be useful
> to a system administrator if the administrator trusts the signatures.
> For example, she would install a Debian system and run a process to
> resign all of the executables with her own key.  During this, the keys

Then why do we need to have signatures? I said that us putting signatures
on the packages is not usefull, the admin signing with their own private
key is entirely different.

> The only advantage of a separate database is to prevent tampering.
> If the administrator is paranoid to have no faith in the encryption,
> then this is the only safe course.  However, the strength of
> contemporary encryption is such that some people may feel it is
> appropriate to use embedded ones.  I suspect you are not one of
> those.  %^)

Encryption in itself is not a magic solution to this problem, only when
used properly in a safe and secure manner does it have meaning.

Jason

Reply to:

References:
- Re: Contrasting BSIGN and TRIPWIRE
  - From: Oscar Levi <elf@buici.com>

Prev by Date: Re: DPLs : what do you think about ...
Next by Date: Re: DPLs : what do you think about ...
Previous by thread: Re: Contrasting BSIGN and TRIPWIRE
Next by thread: Versioned Conffiles was Re: Contrasting BSIGN and TRIPWIRE
Index(es):
- Date
- Thread