On Mon, Jul 28, 2003 at 09:46:01AM -0400, Steven M. Bellovin wrote:
> http to a cgi script?  But that only guards against transmission 
> failures, not against bad updates.  See
> http://catless.ncl.ac.uk/Risks/19.25.html#subj1.1
> for an example of the kind of failure I'm worried about.

There are several different issues here - and I don't want to take on
fixing them all today ;-)

a) Protection from infrastructure errors. (e.g., salo's commit)
b) Protection from rollback (version numbering)
c) Protection from unintentional data corruption (hashes)
d) Protection from editor error (e.g., typos) ('lint')
e) Integrity as delivered from TNP (signatures)
f) Integrity as proposed from a developer (signatures)
f') Integrity from malicious inserts/edits

a and b are pretty trivial.

c requires some additional tools to be present on a developer's system
(sha1) - and a pretty trivial amount of change to Makefiles.

d requires some time to develop a 'foolproof' ;-) methodology, and
implement it.

e requires infrastructure, harware, and keys.

f requires infrastructure and keys.

f' requires a clearing house (paid role)

a,b,c,d will probably get done 'soon'.

The key part of e and f is being worked on.

f' is a long way off.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
If you don't spend energy getting what you want,
	You'll have to spend it dealing with what you get.
					      - Unknown