[oclug] openssl095a conflicts
Strosberg, Bill
bill.strosberg at rcpsc.edu
Wed Aug 15 13:38:46 EDT 2001
> From: Curtis Ireland [mailto:cireland at solidum.com]
> >Compiling openssl isn't as difficult as you may think and
> the instructions
> >on the web site are very clear and easy to follow.
>
> Which is why RPM has a feature to sign with PGP (or GnuPG)
> signatures.
> Security packages should always be checked against the
> author's public key.
> At the very least, you will know who made the package and who
> to strangle
> when it all goes wrong :o)
Curtis:
My point was that when you compile it yourself, you know EXACTLY who to
strangle ... yourself. Binary RPMs can and too often do get published with
both intentional and unintentional errors included. The ./configure stage of
a build from source verifies the presence and versions of many libraries,
capabilities and functions. Using someone else's binaries does not allow
this verification process to occur, and the POTENTIAL problems are increased
dramatically. Your binary RPM assumes your system configuration is
IDENTICAL to that of the publisher.
A digital signature is almost meaningless, given that there is no third
party signature repository/CA worth trusting (non-Government,
non-commercial, non-American etc.). Given that DNS hijackings can and do
occur, there is almost no way to prove digitally that anyone is who they
say, at least via publically published signatures/public keys. The only
thing that is marginally secure is contacting someone by telephone and
having the public signature read out via voice.
Binary RPMs are simply a effort-free method of avoiding the process of
learning and understanding programs you use on your system. I understand
the need for RPMs, and I certainly do use them on non-production systems,
but you will never catch me (and many others) using someone else's binary
RPMS on a production machine.
--
Bill Strosberg
More information about the OCLUG
mailing list