Mailscanner Update

MailScanner mailscanner at SMITS.CO.UK
Tue Mar 9 12:05:43 GMT 2004


I only ever verify archives against a signature acquired through another
route. If someone takes the trouble to spike the archive, then I'm sure
they will take the trouble to create a new signature for it. Having them
both on the same web page offers very little real security.

A more secure way of signing binaries would be to use an SSL certificate
from a globally trusted root CA, but I can understand that the cost
would be prohibitive for most open source projects and this method still
leaves the CA vulnerable to social engineering attacks (remember the
unauthorised Microsoft certs a while ago?).

Fortunately, most open source code is pretty closely scrutinised and
exploits usually get spotted quickly.

Bart...

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Peter Bonivart
Posted At: 08 March 2004 23:40
Posted To: MailScanner
Conversation: Mailscanner Update
Subject: Re: Mailscanner Update


Kevin Miller wrote:
> So, um, OK, let's say someone (strictly hypothetically speaking of 
> course - at least that's my story and I'm sticking to it <g>) didn't 
> know what the two little commmands are exactly but want to better 
> themselves.  What would they run?

What you need to do is:

# gpg --verify MailScanner-4.28.6-1.tar.gz.sig

But before that there's some small things to take care of, they are
nicely described here:

http://www.mandrakesecure.net/en/docs/gpg.php

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2




More information about the MailScanner mailing list