[cmake-developers] malware?
Alan W. Irwin
irwin at beluga.phys.uvic.ca
Fri Jul 24 12:54:07 EDT 2015
An additional and obvious security measure is to cryptographically
sign each file release with a detached armored signature, e.g.,
gpg --default-key <keyid> --detach-sign --armor cmake-3.3.0.tar.gz
where keyid is a CMake release manager identification key (also created
and distributed by gpg).
The above command creates a small file called cmake-3.3.0.tar.gz.asc which
security-conscious users download along with the tarball itself.
They can then verify every byte of both downloads and that the correct
crytographic signature from the CMake release manager was applied using
gpg --verify cmake-3.3.0.tar.gz.asc
Most important open-source projects (and even many unimportant ones
like PLplot, :-) ) routinely apply this security measure for release
tarballs, but for some reason up to now, Kitware has not.
Alan
__________________________
Alan W. Irwin
Astronomical research affiliation with Department of Physics and Astronomy,
University of Victoria (astrowww.phys.uvic.ca).
Programming affiliations with the FreeEOS equation-of-state
implementation for stellar interiors (freeeos.sf.net); the Time
Ephemerides project (timeephem.sf.net); PLplot scientific plotting
software package (plplot.sf.net); the libLASi project
(unifont.org/lasi); the Loads of Linux Links project (loll.sf.net);
and the Linux Brochure Project (lbproject.sf.net).
__________________________
Linux-powered Science
__________________________
More information about the cmake-developers
mailing list