to the Wordpress dev team : why not just sign it digitally?!
I was rather perplexed when I read the latest wordpress 2.1.3 release post. Therein, the dev team reported that they’ve taken the trouble reviewing the code base for security enhancements and whatnot. In an eh-by-the-way style P.S., an update was provided for the recent code tainting led by server account compromise.
Besides that more cautions have been applied to the server systems, the dev team now “are also now aggressively monitoring all downloads for any changes or modifications, and we are confident the same type of problem won’t happen again.” Assume the new aggressive monitoring means deploying HIDS software such as tripwire on wordpress’s own servers. This, however, doesn’t help people who download from various mirror sites. Plus, reading all those monitoring reports is not only time-consuming but untimely. As much as I appreciate all the great work the dev team has been putting into the wordpress project, I wanna ask a simple question, “why not just sign it digitally?”
Why digital signature is not used or considered as part of or as one turn-key solution to solve this problem? Now is a great time to vouch for the authenticity of the code base by signing it digitally, since the code base has been reviewed and enhanced for security. If the download and packages can be signed digitally on a separate secure server (a standalone off-line network-less server, even better), thousands of wordpress site owners would gain great confidence in the software powering the sites, when they have a great powerful tool to verify the authenticity and integrity of their downloads off wordpress.org’s own site or its mirrors. This ought by itself reduce the need to monitor the downloads and free up the dev team for more useful work towards enhancing wordpress server code.
A bit sadder is that wordpress dev team is not alone. Many other great FOSS projects don’t sign their downloads either. Some provide only MD5 checksums. Yet a few are actually confused about checksum and digital signature. For my part, RPMs available locally on this site had been signed with our GnuPG key.
It is perplexing also because that signing using GnuPG or PGP is just so simple! For the latest wordpress 2.1.3 release tarball, one single line will do:
gpg -a –detach-sign wordpress-2.1.3.tar.gz
So, given the popularity of GnuPG, as I commented eariler about the compromised wordpress 2.1.1 release, I’d ask again, “why not just sign it digitally?”
bbowden said,
April 6, 2007 @ 11:41 am
A more interesting article would be how to sign it digitally.
experts8 said,
April 6, 2007 @ 5:02 pm
Mr. B, does this mean you don’t think the one-liner in the last paragraph is enough?
barry said,
April 6, 2007 @ 7:40 pm
I am just saying if you were to write a step by step procedure on how to sign the code, it would be a interesting read.
Computer Security Tips said,
October 5, 2007 @ 9:13 am
Computer Security Tips
I couldn’t understand some parts of this article, but it sounds interesting
Desktop and Laptop Computers said,
November 29, 2007 @ 6:50 am
Desktop and Laptop Computers
I couldn’t understand some parts of this article, but it sounds interesting
Tool Network Monitoring Network Security said,
February 22, 2008 @ 11:26 am
Using Network Analysers as a Security Tool
Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features make the analyzer an excellent tool to locate network security breaches, and to help identify and isolate virus-infected …