Daniel F [ARCHIVE] on Nostr: 📅 Original date posted:2013-08-05 📝 Original message:If you want package ...

📅 Original date posted:2013-08-05
📝 Original message:If you want package authentication, you should at least throw in some
digital signing, not just a checksum. With a compromised host, both the
checksum and binaries can be changed undetectably, but if there's a
signature made by a key that is not kept on the host, there's no way to
fake a valid binary.

There may be other issues people would want to bring up, but surely just
a checksum is not sufficient.

on 08/05/2013 10:39 AM Wendell said the following:
> For usability purposes, we at Hive would like to have an
> auto-updater
in our wallet app.
>
> What is a safe way to do this? I understand that Bitcoin-QT lacks
> such
an updater for security reasons... Has been thought out in more detail
since that decision was made?
>
> We have been toying around with the idea of placing one server
> behind
a Tor hidden service, whose only function is to output a checksum of the
update package. The theory is that if it is well-secured, it will at
least be immune to tampering at the physical hosting level.
>
> Any thoughts or advice about any of this?
> -wendell
>
> grabhive.com | twitter.com/grabhive | gpg: 6C0C9411
>
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>