Loading ...
Sorry, an error occurred while loading the content.

Re: Digital Signatures for the official Vim binaries on Windows

Expand Messages
  • Bram Moolenaar
    ... It s a lot of hassle to get this certification, costs quite a bit of money (several thousand dollars), and only gives a little bit of protection. The
    Message 1 of 14 , Jan 4, 2012
    • 0 Attachment
      Philip Taron wrote:

      > I noticed for some time now that the official Vim binaries distributed
      > on vim.org for Windows users aren't digitally signed.
      >
      > Is this due to lack of funds, lack of desire, technical limitations,
      > or personal choice?
      >
      > If it is lack of funds, I'd like to donate so this could happen.

      It's a lot of hassle to get this certification, costs quite a bit of
      money (several thousand dollars), and only gives a little bit of
      protection. The obvious way around it is to just replace the signed
      binary with a not signed binary, hardly anyone would notice.

      In practice messing with the files has never happened and if it did it
      would most likely be detected and fixed quickly.

      Trojan horses are a big problem, but the signature is a very weak
      protection against them.

      --
      If cars evolved at the same rate as computers have, they'd cost five euro,
      run for a year on a couple of liters of petrol, and explode once a day.

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ an exciting new programming language -- http://www.Zimbu.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Philip Taron
      ... I ll drop the topic. Thanks for providing the current consensus opinion. Philip -- You received this message from the vim_dev maillist. Do not top-post!
      Message 2 of 14 , Jan 4, 2012
      • 0 Attachment
        It's a lot of hassle to get this certification, costs quite a bit of
        money (several thousand dollars), and only gives a little bit of
        protection.  The obvious way around it is to just replace the signed
        binary with a not signed binary, hardly anyone would notice.

        In practice messing with the files has never happened and if it did it
        would most likely be detected and fixed quickly.

        Trojan horses are a big problem, but the signature is a very weak
        protection against them.

        I'll drop the topic. Thanks for providing the current consensus opinion.

        Philip

        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      Your message has been successfully submitted and would be delivered to recipients shortly.