On Mon, Oct 25, 2004 at 11:53:17PM -0500, Gregory G Carter wrote:
They still crack Windows with perfectly signed packages from Microsoft. I do not see signatures as such a big deal, therefore as they have not really impacted code security of Microsoft products.
They've impacted it greatly in terms of things like windows updater. The mess would have been even worse without it.
In FACT, I do not see how signing binaries helps really in dealing with secure code for end users.
As an admin you set various directories as "only rpm/up2date" can install, or even set "nothing is executable unless rpm/up2date installed it" type policies in SELinux and turn on signature checking.
That makes the keys valuable for the policy side of enforcement. The tools to do this exist now.
Signed by Microsoft and of course, Doesn't Mean Jack. The best a signed package can do is tell you where it is from. But, it doesn't make your code any less crackable or any more secure.
No argument there.
Alan