Time for Open-Source to Grow Up

Time for Open-Source to Grow Up
Jon Lasser, 2002-08-07

The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.

Expand all | Post comment

Time for Open-Source to Grow Up 2002-08-07
Not Really Anonymous

Is it really so inmature? 2002-08-08
Javier Fernandez-Sanguino (1 replies)

Is it really so inmature? 2002-08-08
Jon (1 replies)

Is it really so inmature? 2002-08-11
Not Really Anonymous

Time Time to Grow UP? NO! Time to quit acting like children! There is a difference. 2002-08-09
Axe-2-Grind

Time for Open-Source to Grow Up 2002-08-09
Anonymous

PGP is still the answer 2002-08-10
Sloppy

Stick to PGP 2002-08-11
Anonymous (2 replies)

Stick to PGP 2002-08-12
Anonymous

Stick to PGP 2002-08-14
Anonymous

Why is SMP a requirement for busy download sites? 2002-08-14
Anonymous

Time for Open-Source to Grow Up 2002-08-16
Anonymous

There already is a tool for sensible admins to verify the software that they download. One of the functions of the Redhat Package Manager is storage and verification of GPG signatures. When I download software from Redhat, I simply type 'rpm -K [packagename.rpm]' and it tells me whether Redhat signed the file or not.

RPM is open source and, IIRC, is portable to other *nix's. I know rpm has its warts, but there is nothing inherent in the architecture that can't be fixed. I think we would all be a lot better off if we stangardized on SOMETHING, no matter how many warts it may have.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/101/16172#16172