Time for Open-Source to Grow Up

Time for Open-Source to Grow Up
Jon Lasser, 2002-08-07

The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.

Expand all | Post comment

Time for Open-Source to Grow Up 2002-08-07
Not Really Anonymous

Is it really so inmature? 2002-08-08
Javier Fernandez-Sanguino (1 replies)

Is it really so inmature? 2002-08-08
Jon (1 replies)

Is it really so inmature? 2002-08-11
Not Really Anonymous

Time Time to Grow UP? NO! Time to quit acting like children! There is a difference. 2002-08-09
Axe-2-Grind

Time for Open-Source to Grow Up 2002-08-09
Anonymous

PGP is still the answer 2002-08-10
Sloppy

Whatever you come up with, could just be a degenerate subset of PGP. A web-of-trust system can emulate a hierarchical system; just have the tool come with the distributor's PGP key the same way that, for example, web browsers come with some trusted SSL certs.

No need to invent any new standards, no need to fragment the marketplace. You want a lame and simplified program that has some imbedded key and is simple to use? Fine. But stay PGP compatable.

If you stay PGP-compatable, then paranoid admins people who are willing to live with the extra complexity of PGP, can be safe (since they'll always be concious of how well they trust the distributor's key), while the people who don't want the extra complexity, take the extra risk that the distributor's key built into their tools, may have been altered. Everybody gets what they want.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/101/16109#16109

Stick to PGP 2002-08-11
Anonymous (2 replies)

Stick to PGP 2002-08-12
Anonymous

Stick to PGP 2002-08-14
Anonymous

Why is SMP a requirement for busy download sites? 2002-08-14
Anonymous

Time for Open-Source to Grow Up 2002-08-16
Anonymous