Re: Code signing
Meadhbh Hamrick
I bet security requirements are going to be all over the map in this group.
toggle quoted messageShow quoted text
I bet people who are trying to push out media to end user devices are going to be VERY interested in signed code, but other people who are running binaries they completely compiled from source files they just downloaded from github are going to be more interested in verifying the provenance of the tarballs they just downloaded than verifying signatures on executables they just built. I'm mostly in the latter camp, except for the tiny bits where i'm in the former. I really want my developers that are building FLOSS projects to be able to pick operational security procedures that make sense for them (but yeah, at the same time I don't want to say "SIGNING EXECUTABLES IS USELESS!" because I do bump up into that world from time to time and know it's a requirement for some people.) I guess what I'm saying is... I bet it's going to be a little more complicated than people might originally think based on their own experiences. But I also think we could do a small amount of work up-front to define a handful of security models that will work for 80% of people on the list and it'll give the other 20% something to point at when they're trying to describe how it doesn't work. Do you have specific requirements, Nathan? Like I said, I'm mostly a backend server farm guy, but every now and again I bump into the mobile / app store world where code signing makes a lot more sense. -cheers -m -- meadhbh hamrick * it's pronounced "maeve" @OhMeadhbh * http://meadhbh.hamrick.rocks/ * OhMeadhbh@... Sent from my TRS-80 Model 102
On Tue, Aug 21, 2018 at 3:29 PM, Nathan Loofbourrow <njloof@...> wrote:
I know it’s early days, especially for Windows and Mac, but will there be a
|
|