Loading ...
Sorry, an error occurred while loading the content.
 

Re: Digital Signatures for the official Vim binaries on Windows

Expand Messages
  • Philip Taron
    ... Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there s no way to know whether I m eating at a mockup of my
    Message 1 of 14 , Jan 2, 2012
       
      This is a Microsoft scare tactic, there's no reason not to trust
      software if you are confident of where you got it. You can eat food
      from state certified restaurants and get sick, or eat at a neighbor's
      house and feel great. (I'd even argue the latter is safer.)

      Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there's no way to know whether I'm eating at a mockup of my neighbor's house or at the house itself.
       
      So I'd love to see the point made using Free Software and not
      requiring license fees or key hosting by whatever corporation. (Unless
      the case is being made that only state sponsored food should be
      allowed.)

      > Cream distro -- well, that one suffers from the same problem. I'd
      > prefer to use the vim.org/Bram build of Vim if I can, since I can be
      > sure it is fully up to date and doesn't have janky personal
      > customizations and patches.

      You obviously don't get the point of Free Software. :)

      Hey, enough with the hate, suffixed with smiley faces as it is. Anything prefaced with the phase "I prefer" surely is meant only in a personal manner. More power to you for creating and maintaining Cream. It's not _my_ preference.
       
      > Why does it take funds? Because not everyone can be a certificate
      > authority. There is a chain of trust that originates in the set of
      > root certificates installed on everyone's machines, and self-signed
      > certs must be manually added on every machine that wants to trust
      > that author is who he or she claims they are.

      It only takes funds because the crooks that are trying to scare
      everyone into a fully sponsored "security solutions" need money to
      survive.

      Root of trust, distribution of keys, revocation, and the other associated issues with a global PKI are real problems. In a free software context, see the hack on kernel.org and GNU savannah...


      Digitally signing the binaries wouldn't have eliminated either of these problems, but would have made cleaning up after them quite a bit easier.

      Philip 

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Philip Taron
      ... On consideration, I apologize for the janky characterization. It was uncalled for. Philip -- You received this message from the vim_dev maillist. Do
      Message 2 of 14 , Jan 2, 2012
        > Cream distro -- well, that one suffers from the same problem. I'd
        > prefer to use the vim.org/Bram build of Vim if I can, since I can be
        > sure it is fully up to date and doesn't have janky personal
        > customizations and patches.

        You obviously don't get the point of Free Software. :)

        Hey, enough with the hate, suffixed with smiley faces as it is. Anything prefaced with the phase "I prefer" surely is meant only in a personal manner. More power to you for creating and maintaining Cream. It's not _my_ preference.

        On consideration, I apologize for the "janky" characterization. It was uncalled for.

        Philip

        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      • Ernie Rael
        ... When I log into sf.net I start getting an https URL. -ernie -- You received this message from the vim_dev maillist. Do not top-post! Type your reply
        Message 3 of 14 , Jan 2, 2012


          On 1/2/2012 8:43 PM, Philip Taron wrote:


          Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there's no way to know whether I'm eating at a mockup of my neighbor's house or at the house itself.
           

          When I log into sf.net I start getting an https URL.

          -ernie

          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php
        • Bram Moolenaar
          ... It s a lot of hassle to get this certification, costs quite a bit of money (several thousand dollars), and only gives a little bit of protection. The
          Message 4 of 14 , Jan 4, 2012
            Philip Taron wrote:

            > I noticed for some time now that the official Vim binaries distributed
            > on vim.org for Windows users aren't digitally signed.
            >
            > Is this due to lack of funds, lack of desire, technical limitations,
            > or personal choice?
            >
            > If it is lack of funds, I'd like to donate so this could happen.

            It's a lot of hassle to get this certification, costs quite a bit of
            money (several thousand dollars), and only gives a little bit of
            protection. The obvious way around it is to just replace the signed
            binary with a not signed binary, hardly anyone would notice.

            In practice messing with the files has never happened and if it did it
            would most likely be detected and fixed quickly.

            Trojan horses are a big problem, but the signature is a very weak
            protection against them.

            --
            If cars evolved at the same rate as computers have, they'd cost five euro,
            run for a year on a couple of liters of petrol, and explode once a day.

            /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
            /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
            \\\ an exciting new programming language -- http://www.Zimbu.org ///
            \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php
          • Philip Taron
            ... I ll drop the topic. Thanks for providing the current consensus opinion. Philip -- You received this message from the vim_dev maillist. Do not top-post!
            Message 5 of 14 , Jan 4, 2012
              It's a lot of hassle to get this certification, costs quite a bit of
              money (several thousand dollars), and only gives a little bit of
              protection.  The obvious way around it is to just replace the signed
              binary with a not signed binary, hardly anyone would notice.

              In practice messing with the files has never happened and if it did it
              would most likely be detected and fixed quickly.

              Trojan horses are a big problem, but the signature is a very weak
              protection against them.

              I'll drop the topic. Thanks for providing the current consensus opinion.

              Philip

              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php
            Your message has been successfully submitted and would be delivered to recipients shortly.