[Biojava-dev] biojava / Security

Warth,Rainer,LAUSANNE,NRC/BAS rainer.warth at rdls.nestle.com
Thu Aug 14 17:21:58 EDT 2003


Dear Thomas and Chris,
	thanks for your feed-back and comment on MD5SUM and PGP-style
digital signatures.
I am not very familiar with this. I will do some reading and see if I can
make a contibution.

Thomas, where could I learn more about attacks on open source projects ?

Best, Rainer

-----Original Message-----
From: Thomas Down [mailto:td2 at sanger.ac.uk]
Sent: vendredi, 25. juillet 2003 20:45
To: Chris Abajian
Cc: Francois Pepin; Warth,Rainer,LAUSANNE,NRC/BAS;
'biojava-dev at biojava.org'
Subject: Re: [Biojava-dev] biojava / Security


On Fri, Jul 25, 2003 at 10:57:48AM -0700, Chris Abajian wrote:
> It would increase my confidence if biojava.org posted signed MD5
> checksums of the binary tarballs.  Although to be honest, I just install
> them and don't give it a second thought ;-)

Yes, that's a good point -- most attacks I've heard of against
open source projects have taken the form of "crack the FTP server
and upload some trojaned files", rather than getting the malicious
code into the master codebase.

I can certainly put MD5SUMs into the announcement e-mails for
future releases.  Another, arguably stronger, solution is to
use PGP-style digital signatures.  We could do that, too, if
there was demand, but my guess is that less people would check
these than MD5SUMs, so that's probably the more valuable option.

     Thomas.


More information about the biojava-dev mailing list