________________________________
From: Peter Eisentraut [mailto:peter_e@gmx.net]
Sent: Sat 7/22/2006 1:17 PM
To: Dave Page
Cc: pgadmin-hackers@postgresql.org
Subject: Re: [pgadmin-hackers] Dave Page's PGP key
> If you believe that breaking into the web server is impossible, or
> impossible enough, you don't need PGP signatures, because the file that
> is being protected sits on the same or similar web server.
Of course I don't believe it's impossible.
> Uploading a key to a key server is simple enough, and I have no
> knowledge that the key that is there now is yours to begin with. And
> even if you tell me it is, I don't know that you sent this email.
Until 2 weeks ago you had zero knowledge of who I really was anyway :-)
> You see, all an attacker would really have to do is install an HTTP
> proxy near the recipient's host that deals out altered files. The
> security of the infrastructure on your side is only part of the
> generally insecure communications link that PGP wants to protect
> against.
>
> Of course this is thoroughly paranoid, and I have no suspicion at all
> that pgAdmin downloads are being compromised, but recently I see too
> many people who attempt to "secure" their downloads by signing them
> with signature-less PGP keys, which gives exactly nil additional
> security.
I'm not claiming it's totally secure. What I'm saying is that the effort involved in compromising the measures we have
putin place is most likely far higher than would be worthwhile for any possible gain. Adding an unsigned signature to
allthe files gives the slightly paranoid user the ability to at least check that the file was signed by the person that
theybelieve to be me.
The totally paranoid amongst us can meet me at the Bird & Baby in Oxford where I'll produce photo ID and a copy of
pgAdminon CD in return for a pint and a burger :-)
> > Compare that to the md5sum's that Greg(?) produces
>
> That is not the standard you want to compare with. But Greg actually
> does have signatures on his key.
Yes, Greg does have signatures, but my point remains - my unverified ket is far harder to fake or compromise than a
listof md5sums generated from possibly-already-compromised tarballs. On the plus side, Greg does sign his emails
containingthose sums which puts him way up on many other projects who simply include the checksums, unsigned on the
sameftp server as the files.
Regards, Dave.