Checking for new version of a program
Andrei Kulakov
sill at optonline.net
Tue Aug 21 23:37:00 EDT 2001
On Wed, 22 Aug 2001 10:23:01 +1000, Delaney, Timothy <tdelaney at avaya.com> wrote:
>> Interesting.. I think maybe I should put a warning in the README that
>> enabling auto-update may be a security risk if my server is
>> cracked, so if
>> the system has secrets on it, user must disable the feature. With
>> signatures, even, private signature also can be compromised.. but then
>> again, even if there is no auto-update, someone can just
>> crack the server
>> and replace tarball with a trojan (and then post an update to
>> freshmeat
>> for good measure!).
>
> Well, no - you don't have the *server* apply the signature - you have that
> already applied to the file to be downloaded. Otherwise any file would
> appear to be a valid download. Sure - someone could crack your server and
> put a trojan on there - but since it isn't signed properly, your app would
> refuse it.
>
> Tim Delaney
Thanks for the reply..
What would be a good place to read about signatures and such?
- Andrei
--
Cymbaline: intelligent learning mp3 player - python, linux, console.
get it at: cy.silmarill.org
More information about the Python-list
mailing list