[Biojava-dev] biojava / Security
Thomas Down
td2 at sanger.ac.uk
Fri Jul 25 20:45:02 EDT 2003
On Fri, Jul 25, 2003 at 10:57:48AM -0700, Chris Abajian wrote:
> It would increase my confidence if biojava.org posted signed MD5
> checksums of the binary tarballs. Although to be honest, I just install
> them and don't give it a second thought ;-)
Yes, that's a good point -- most attacks I've heard of against
open source projects have taken the form of "crack the FTP server
and upload some trojaned files", rather than getting the malicious
code into the master codebase.
I can certainly put MD5SUMs into the announcement e-mails for
future releases. Another, arguably stronger, solution is to
use PGP-style digital signatures. We could do that, too, if
there was demand, but my guess is that less people would check
these than MD5SUMs, so that's probably the more valuable option.
Thomas.
More information about the biojava-dev
mailing list