[vlc-devel] Update & PGP

Rafaël Carré funman at videolan.org
Wed Dec 5 15:15:35 CET 2007


(sending again with a compressed patch because it was too big for the
ML)

Hello,

Here is my solution for using PGP to verify binary downloads (update
system).


I wanted to show it to you even if it's not finished.
You will want to change UPDATE_VLC_STATUS_URL and
UPDATE_VLC_MIRRORS_URL in src/misc/update.c to test it.

It's not finished, and there is some problems I didn't looked yet:
	* Memory leaks
	* Error path (make a difference between bad signature, and OOM
for example)
	* What to do with the file when it couldn't be verified (i
thought about renaming it with a random extension, or
vlcXXX.exe.invalid)
	* Code place: it shouldn't be in an header, but in its own .c
file
	* grep for FIXME XXX and TODO


I remind you another solution would be to transmit md5 checksums over a
secure channel, and so require a certificate signed by a root
authority, and use https on the web servers.

I also remind you the update system need a clean up, to be simpler than
an XML file with a lot of info, but that can be do separately from a
secure verification of downloaded files.


I welcome your comments, except from courmisch because he sucks.

-- 
Rafaël Carré
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp.diff.bz2
Type: application/x-bzip
Size: 13135 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071205/15fe9f50/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071205/15fe9f50/attachment.sig>


More information about the vlc-devel mailing list