But I'm curious, why would it cost money to do this? GnuPG is free, so
whatever the reason, I doubt that it's a monetary issue.
IIUC, Bram's binaries are (outdated but) signed: see either of the MD5
and MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/ directory.
If youwant an up-to-date Vim for Windows, I recommend Steve Hall's "Vim
without Cream", http://sourceforge.net/projects/cream/files/Vim/ � that
one doesn't seem to be signed but is it Steve's or SourceForge's policy?
Best regards,
Tony.
--
God is a comic playing to an audience that's afraid to laugh.
On 03/01/12 00:11, Philip Taron wrote:
Hey all,
I noticed for some time now that the official Vim binaries distributed
on vim.org for Windows users aren't digitally signed.
Is this due to lack of funds, lack of desire, technical limitations,
or personal choice?
If it is lack of funds, I'd like to donate so this could happen.
Philip
IIUC, Bram's binaries are (outdated but) signed: see either of the MD5 and MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/ directory.
If youwant an up-to-date Vim for Windows, I recommend Steve Hall's "Vim without Cream", http://sourceforge.net/projects/cream/files/Vim/ — that one doesn't seem to be signed but is it Steve's or SourceForge's policy?
No policy, but I'd be curious to know what the OP believes to be
practically accomplished with signed files. Perhaps we're just talking
about the official binaries? Or just checksums?
--
Steve Hall [ digitect dancingpaper com ]
This is a Microsoft scare tactic, there's no reason not to trust
software if you are confident of where you got it. You can eat food
from state certified restaurants and get sick, or eat at a neighbor's
house and feel great. (I'd even argue the latter is safer.)
So I'd love to see the point made using Free Software and not
requiring license fees or key hosting by whatever corporation. (Unless
the case is being made that only state sponsored food should be
allowed.)
> Cream distro -- well, that one suffers from the same problem. I'd
> prefer to use the vim.org/Bram build of Vim if I can, since I can be
> sure it is fully up to date and doesn't have janky personal
> customizations and patches.
You obviously don't get the point of Free Software. :)
> Why does it take funds? Because not everyone can be a certificate
> authority. There is a chain of trust that originates in the set of
> root certificates installed on everyone's machines, and self-signed
> certs must be manually added on every machine that wants to trust
> that author is who he or she claims they are.
It only takes funds because the crooks that are trying to scare
everyone into a fully sponsored "security solutions" need money to
survive.
No policy, but I'd be curious to know what the OP believes to be
practically accomplished with signed files. Perhaps we're just talking
about the official binaries? Or just checksums?
This is a Microsoft scare tactic, there's no reason not to trust
software if you are confident of where you got it. You can eat food
from state certified restaurants and get sick, or eat at a neighbor's
house and feel great. (I'd even argue the latter is safer.)
So I'd love to see the point made using Free Software and not
requiring license fees or key hosting by whatever corporation. (Unless
the case is being made that only state sponsored food should be
allowed.)
You obviously don't get the point of Free Software. :)
> Cream distro -- well, that one suffers from the same problem. I'd
> prefer to use the vim.org/Bram build of Vim if I can, since I can be
> sure it is fully up to date and doesn't have janky personal
> customizations and patches.
> Why does it take funds? Because not everyone can be a certificateIt only takes funds because the crooks that are trying to scare
> authority. There is a chain of trust that originates in the set of
> root certificates installed on everyone's machines, and self-signed
> certs must be manually added on every machine that wants to trust
> that author is who he or she claims they are.
everyone into a fully sponsored "security solutions" need money to
survive.
> Cream distro -- well, that one suffers from the same problem. I'dYou obviously don't get the point of Free Software. :)
> prefer to use the vim.org/Bram build of Vim if I can, since I can be
> sure it is fully up to date and doesn't have janky personal
> customizations and patches.
Hey, enough with the hate, suffixed with smiley faces as it is. Anything prefaced with the phase "I prefer" surely is meant only in a personal manner. More power to you for creating and maintaining Cream. It's not _my_ preference.
Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there's no way to know whether I'm eating at a mockup of my neighbor's house or at the house itself.
It's a lot of hassle to get this certification, costs quite a bit of
money (several thousand dollars), and only gives a little bit of
protection. The obvious way around it is to just replace the signed
binary with a not signed binary, hardly anyone would notice.
In practice messing with the files has never happened and if it did it
would most likely be detected and fixed quickly.
Trojan horses are a big problem, but the signature is a very weak
protection against them.
--
If cars evolved at the same rate as computers have, they'd cost five euro,
run for a year on a couple of liters of petrol, and explode once a day.
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
It's a lot of hassle to get this certification, costs quite a bit ofmoney (several thousand dollars), and only gives a little bit of
protection. The obvious way around it is to just replace the signed
binary with a not signed binary, hardly anyone would notice.
In practice messing with the files has never happened and if it did it
would most likely be detected and fixed quickly.
Trojan horses are a big problem, but the signature is a very weak
protection against them.