On Fri, Jun 11, 2004 at 02:49:21PM +0100, Paul Millar wrote:
Why remove the verification of the code's gpg signature? It seems to break a basic security maxim: don't trust the network.
Because the current implementation is b0rken, and it just gives us a false sense of security. If we can't trust the network: -- why do we trust the script to tell us to do the verification?!? If anything, we would have to automatically always do the verification, not have a command for it. So a command of download url.foo should implicitily generate a download url.foo.sig gpgverify url.foo.sig
-- also, why do we trust the script at all? We should also always sign and verify every time the script. But this will make it rather inconvenient to work with... Oh well, we'll do it if we must. But we have to be careful to NOT accept downloads signed my WineHQ (the sig used to sign the script), because if WineHQ is hacked, all bets are off. In other words, we should trust only human signatures for file download. I'm not sure how easily all this can be implemented in winrash.
In any event, those two lines in the script that I've removed are not the answer. For now I guess we can trust the network.