User: Password:
|
|
Subscribe / Log in / New account

kernel.org no longer centrally signs submissions

kernel.org no longer centrally signs submissions

Posted Nov 9, 2011 0:24 UTC (Wed) by jimparis (subscriber, #38647)
In reply to: kernel.org no longer centrally signs submissions by raven667
Parent article: KS2011: Kernel.org report

It seems the argument is that, as far as trust goes, "you downloaded this from kernel.org" is exactly the same assurance as the old "this was signed by kernel.org". That may be true (if SSL was used for the download), but it still seems that no harm would be done by also adding that automatic signature. Then SSL wouldn't be necessary, and you could verify that it passed through kernel.org even if you downloaded it from another site or mirror.


(Log in to post comments)

kernel.org no longer centrally signs submissions

Posted Nov 9, 2011 2:49 UTC (Wed) by giraffedata (subscriber, #1954) [Link]

Thanks; that's exactly what I was thinking. The great advantage of a digital signature is that it gives you a basis for trusting something regardless of how it got to you. If I found a kernel by the side of the road, I'd say, "Hell yes, I'll put that on my server. I can see that kernel.org blessed this particular arrangement of bits at some point." But it would be ridiculous to say, "This looks OK. Somebody signed it."

The developer signature appears to serve an entirely different purpose from the kernel.org automatic signature (I suppose it is what tells kernel.org, which does know all the individuals, it's OK to take the code), but the article makes it sound like it is a replacement of -- and improvement on -- it.

kernel.org no longer centrally signs submissions

Posted Nov 9, 2011 3:11 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Just to be clear, an automatic signature _only_ tells you that the bits passed through kernel.org. If you download from kernel.org then it tells you exactly nothing. I'm not sure why you mention ssl, it seems that ssl provides a higher level of assurance and what ssl provides is pretty lame.

Auto signing doesn't provide any more verification than an md5sum file which would probably be a better choice. When signatures are used people often assume a higher level of verification than really exists. Usually when releases are signed the private key is not publicly accessible and is on a separate device that only release approvers have access to, an offline workstation or smart card for example. That procedure can be a higher level of assurance that the bits you have are the right ones


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds