Time for Open-Source to Grow Up

Time for Open-Source to Grow Up
Jon Lasser, 2002-08-07

The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.

Time for Open-Source to Grow Up 2002-08-07
Not Really Anonymous

Is it really so inmature? 2002-08-08
Javier Fernandez-Sanguino (1 replies)

Is it really so inmature? 2002-08-08
Jon (1 replies)

The point is that MD5sums have been more successful than PGP signatures in detecting trojans, even though the latter are (by far) a technically superior solution. We need something as easy to use as MD5sums (or SSL in the Web browser) but as powerful as PGP signatures.

Note that FreeBSD only caught it because of its out-of-band signatures: had they relied on MD5sums in the OpenSSH FTP tree it would have been a lost cause. Most packages have their MD5sums distributed in the latter fashion; even the Ports tree has a limited number of apps with external MD5sums (ie, not everything is in the Ports tree)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/101/16100#16100

Is it really so inmature? 2002-08-11
Not Really Anonymous

Time Time to Grow UP? NO! Time to quit acting like children! There is a difference. 2002-08-09
Axe-2-Grind

Time for Open-Source to Grow Up 2002-08-09
Anonymous

PGP is still the answer 2002-08-10
Sloppy

Stick to PGP 2002-08-11
Anonymous (2 replies)

Stick to PGP 2002-08-12
Anonymous

Stick to PGP 2002-08-14
Anonymous

Why is SMP a requirement for busy download sites? 2002-08-14
Anonymous

Time for Open-Source to Grow Up 2002-08-16
Anonymous