The Old Joel on Software Forum: Part 3 (of 5)

Safety of smart clients

The recent Debian break in ( http://marc.theaimsgroup.com/?l=debian-announce&m=106941381015817&w=2 ) made me wonder.
More and more are going the automatic update route for network delivered apps.? Do you all use code-signing for the files? Does your client verify the signature? Do you use certificates? Do you use OCSP, CLR? Does your client check the certificate status? Do you have a compromise contigency plan?

Just me (Sir to you)
Friday, November 21, 2003

Obviously not.

One reason might be that it's hard to convince a product manager to invest resources in the abovementioned measures. "It's finished, so we will ship it!"

Johnny Bravo
Friday, November 21, 2003

As a note, the recent breakin did not affect the archive that updates use.

Joe V.
Friday, November 21, 2003

Can I rephrase the question:
Have you deployed automatic updating capabilities in one of your products?
What security did you implement?

Just me (Sir to you)
Monday, November 24, 2003