Mailscanner Update
MailScanner
mailscanner at SMITS.CO.UK
Tue Mar 9 12:05:43 GMT 2004
I only ever verify archives against a signature acquired through another
route. If someone takes the trouble to spike the archive, then I'm sure
they will take the trouble to create a new signature for it. Having them
both on the same web page offers very little real security.
A more secure way of signing binaries would be to use an SSL certificate
from a globally trusted root CA, but I can understand that the cost
would be prohibitive for most open source projects and this method still
leaves the CA vulnerable to social engineering attacks (remember the
unauthorised Microsoft certs a while ago?).
Fortunately, most open source code is pretty closely scrutinised and
exploits usually get spotted quickly.
Bart...
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Peter Bonivart
Posted At: 08 March 2004 23:40
Posted To: MailScanner
Conversation: Mailscanner Update
Subject: Re: Mailscanner Update
Kevin Miller wrote:
> So, um, OK, let's say someone (strictly hypothetically speaking of
> course - at least that's my story and I'm sticking to it <g>) didn't
> know what the two little commmands are exactly but want to better
> themselves. What would they run?
What you need to do is:
# gpg --verify MailScanner-4.28.6-1.tar.gz.sig
But before that there's some small things to take care of, they are
nicely described here:
http://www.mandrakesecure.net/en/docs/gpg.php
--
/Peter Bonivart
--Unix lovers do it in the Sun
Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2
More information about the MailScanner
mailing list