Closed
Bug 162833
Opened 23 years ago
Closed 23 years ago
files downloaded from mozilla.org can't be verified because nobody provides PGP signatures
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
People
(Reporter: max, Assigned: security-bugs)
References
()
Details
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011126
Netscape6/6.2.1
BuildID: 20020815
Hi,
You have probably heard of the trojans that were recently inserted into open
source projects like openssh, bitchx and irssi.
I'd like to recommend that you create PGP/GPG signatures for all downloadable
files so users can verify the integrity of the downloads they get from your site
or from mirrors. MD5 checksums are NOT enough!
Information about how to create cryptographic signatures and the required
software is available at www.gnupg.org.
please let me know what you think.
thanks,
Max
Reproducible: Always
Steps to Reproduce:
1. Goto www.mozilla.org/releases
2. Download mozilla
3. Try to verify it's integrity
Actual Results: I've failed at step 3 because there are no signatures being
made available by the developers.
Expected Results:
$ gpg --verify mozilla-i686-pc-linux-gnu-1.0.tar.gz.sig
gpg: Signature made Thu Aug 15 15:48:15 2002 CEST using RSA key ID xxxxxxxx
gpg: Good signature from "mozilla developer joe <joe@mozilla.org>"
|
||
Comment 1•23 years ago
|
||
Sounds like a good idea to me. However, this isn't a browser security bug;
please change the 'Product' of this bug to 'mozilla.org' (since it's an
enhancement for the website).
|
||
Comment 2•23 years ago
|
||
*** This bug has been marked as a duplicate of 68079 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•