Hello! Huddled Masses is using DISQUS, a powerful comment system, to manage its comments. Learn more.
Community Page
- HuddledMasses.org/ Jump to website »
-
Subscribe -
Community
-
Top Commenters
-
Popular Threads
-
Recent Comments
- Thanks for the plugins Jaykul! I'm using them on my website which I just migrated from textpattern to wordpress and they are working great... There is just one little problem I am having... It...
- I was able to download the wmv-hd and the powerpoint ones. I gathered info from www.microsoftpdc.com but it seems some formats are not available yet.
- Were you able to get anything aside from wmv to work, Joel?
- Hey Jaykul, I've got some experience with this that I'm happy to share. I've used a Tivo (and hacked it to add a larger hard drive), a Comcast DVR, a Windows XP Media Center with an...
- Hey Joel, Ars Technica is also live tweeting the keynotes here: http://twitter.com/arspdc
Huddled Masses
Joel Bennett's development blog...
The cool thing about the way authenticode signatures are implemented is that even if a script is signed with a self-issued certificate, you can still tell if the script has been tampered with… Check this out:
[1]:ls SCRIPTS:\UnknownCert\Sample*.ps1,SCRIPTS% ... Continue reading »
[1]:ls SCRIPTS:\UnknownCert\Sample*.ps1,SCRIPTS% ... Continue reading »
1 year ago
On the flip side, if the goal just verifying the integrity of the script, that can be valuable, and I would fall towards running a community CA, whether self-signed or not (sorry, I've got no connections with any CA's).
Thanks for bringing this up Jaykul!
1 year ago
I really like your ideas. Really the scripts with built in dependencies thing is brilliant. I have written bash scripts before that automatically check for dependencies and download them if they are not met, but it actually never occurred to me there could be created standardized way with little logic to accomplish the same thing.
As far as the security concerns, I am not an expert in encryption and hashing/signing algorithms, but I can assume it can be done for free as packages are typically required to be signed to work with apt-get without throwing a scary error. By default apt-get in Ubuntu for instance will only find and install software signed by select Ubuntu developers. I assume they use this "web of trust" thing, but as I said, I didn't study how it's accomplished yet.
But we can have a trusted group of people who evaluate all the scripts and cmdlets to ensure they are malware-free, then sign them using this method. Like apt-get if the auto dependency checker encounters a dependency which it can not verify a trusted signature for, it should fail.