[vlc-devel] Update & PGP
Rafaël Carré
funman at videolan.org
Wed Dec 5 15:15:35 CET 2007
(sending again with a compressed patch because it was too big for the
ML)
Hello,
Here is my solution for using PGP to verify binary downloads (update
system).
I wanted to show it to you even if it's not finished.
You will want to change UPDATE_VLC_STATUS_URL and
UPDATE_VLC_MIRRORS_URL in src/misc/update.c to test it.
It's not finished, and there is some problems I didn't looked yet:
* Memory leaks
* Error path (make a difference between bad signature, and OOM
for example)
* What to do with the file when it couldn't be verified (i
thought about renaming it with a random extension, or
vlcXXX.exe.invalid)
* Code place: it shouldn't be in an header, but in its own .c
file
* grep for FIXME XXX and TODO
I remind you another solution would be to transmit md5 checksums over a
secure channel, and so require a certificate signed by a root
authority, and use https on the web servers.
I also remind you the update system need a clean up, to be simpler than
an XML file with a lot of info, but that can be do separately from a
secure verification of downloaded files.
I welcome your comments, except from courmisch because he sucks.
--
Rafaël Carré
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp.diff.bz2
Type: application/x-bzip
Size: 13135 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071205/15fe9f50/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071205/15fe9f50/attachment.sig>
More information about the vlc-devel
mailing list