[Date Prev][Date Next]
Digital Signatures on distribution packages
Has consideration been given to the use of digital
signatures on the distribution packages that are available
from the OpenLDAP ftp server?  I know that there are
md5 checksums on the ftp site, but those are useful only
to verify that the download worked OK. I'm talking about
source-verifyable signatures such as are possible with GPG.
My employer is considering a policy that would prohibit
the use of open-source software downloaded without any such
source verification. From what I can tell this would make
it difficult for us to use newer versions  of OpenLDAP,
since such signatures are not available.
While I certainly wouldn't expect such an effort to be made
just for a single non-contributing user, the reality of
attacks against other free software project servers would
seem to indicate that this would be a Good Idea anyway.
Thanks for any thoughts on this y'all can provide,
 I apologize if this has been hashed out before, or if
this is the wrong list to ask this question. I did spend
some time with webglimpse on the mailing list archives
and with other tools in my own archive extending back to
last April, and I didn't find it discussed, although I'll
admit to having signal-to-noise ratio problems what with
all the hits on digital signatures within mailing list
posts. I welcome redirection to prior discussion and/or
the proper forum.
 In our discussions of this matter, it appears that
source packages signed by, e.g., RedHat and distributed in
a source RPM would be acceptible, but it often takes some
time for new versions to trickle down to those channels.