[all-coord@li.org: Delays, and security]

From: Swedish GNU/LI List (sv_at_li.org)
Date: 1996-06-05 22:25:42

Det här kom till samordningslistan, men det gäller nog lika mycket er
andra.  Hur många har PGP-nycklar redan?  Jag har det inte.

attached mail follows:



     ------
     List:     GNU Coordinators List
     Sender:   François Pinard <pinard@icule.progiciels-bpi.ca>
     Subject:  Delays, and security
     Date:     Tue, 4 Jun 1996 22:15:11 -0400
     ------

Hi, everybody.


First, I want to apologise for some delays in uploading of PO files
to archives.  A few have irregular header entries, and I find it quite
tedious to check these all, and further, I also make mistakes.  So, as an
attempt to at least detect irregularities, I want to somewhat automate
a little further checking and cross-validation before uploading.  But I
did not find the time to do it yet.  Soon, hopefully.  Nothing is lost.


Second, discussing security with a few people around, it occurred to me
that if someone would like to play tricks at GNU, it would be fairly
easy to send forgeries of translation files (PO files), soon before
an official release of a GNU package, as most of us are unable to even
have an opinion at the quality or contents of translations (because the
languages are foreign to one another), and proper teams might not always
immediately check the contents of uploaded files.

Seeking solutions, I installed PGP (Pretty Good Privacy) for myself and
began to study it, while discussing such methods with other GNU people.
I'm not really interested in the crypting facilities of PGP, as we have
nothing to hide.  I'm only interested in the signing facilities, able to
prove that files come indeed from whoever sent them.  I fear a little what
the incoming explosion of Internet will bring us, on ethical standpoint.
Many of you might know how easily one may achieve message forgery...

So, if you feel like it, an experimental basis, you team coordinators are
all invited to let me know your public key if you ever make one, and to
PGP-sign messages conveying any information such that authentification of
the sender might be adequate.  Maybe I'm babbling non-sense and you do
not even know what I'm speaking about.  On the other hand, let me dream
a little and presume that most of you are attracted to the said idea:
then later, one of these days, all submitted PO files might require proper
authentification, would it be by the translators themselves, or if only
a few were unable to do so, then by their team coordinator in their name.
Signatures of new team members, who may directly submit translations, might
then have to be certified at least once by the appropriate team leaders.

-- 
François Pinard         ``Vivement GNU!''        pinard@iro.umontreal.ca
Support Programming Freedom, join our League!  Ask lpf@lpf.org for info!

Arkiv genererat av hypermail 2.1.1.