So several Horde releases were trojaned for three months? That's pretty terrible. Good on them for coming clean.
What's the best way for open source projects to make it easy for their customers to get verified downloads? A lot of packages post MD5 checksums but no one tests them when downloading manually, do they? Automated signature checking on Debian packages seem to work better in practice; homebrew also verifies download checksums automatically.
That's not entirely true. Since i found how to poison my ISP's PeerApp "invisible" cache servers i started to check MD5 when downloading manually. It does cache big files but not small ones.
Here is the link for technical details if you are interested.
http://godlessmechanics.blogspot.com/2011/12/tale-of-sneaky-...
1. Have to control the signature that's provided
2. Have to have a trust system in place so that people realized that the signature provided wasn't legit.
I'm not sure the personal public key infrastructure (web of trust) is developed enough to absorb that.
All the most used Linux distros use a PGP-based check before installing packages.
These distros are distributed with a keychain that contains keys for all the approved developers/uploaders. What you have to trust is the fact that the keychain you have is the real one, but that is easy to do. Once you trust your keychain you can install things securely: the private pairs are in hands of people that have been through processes similar to this http://www.debian.org/devel/join/newmaint .
What it comes down to is you have to trust someone, eventually. You've got to trust your distro and it's installed verion of GPG, or yo've got to trust your own compiled version of GPG, etc. Unless you're savvy enough to download the source code and confirm it's safe, you're stuck trusting someone.
It's sort of a chicken and the egg problem, PGP. A better web of trust would help resolve these issues (I'm probably not that many trusted steps from a Debian developer), but without a better web of trust, it's hard to build a web of trust, if that makes any sense.
And it seems no one does key signing parties any more...
If they have access to the packages, they have access to the checksums. The checksums only verify that the file isn't corrupt, what you should receive is what you actually received.
True; proper digital signatures would be better. My understanding is the checksums exist to be distributed so that maybe someone would notice "hey, foo.tar.gz on this mirror has the wrong checksum!" The way it works in Homebrew, for instance, is that the sha256 of a file downloaded from the source server is verified against the checksum stored in Homebrew's github repository. Someone would have to compromise both the source server and the github repository to break it. Not ideal, but better than nothing. More importantly it's automatic; Homebrew users don't think about it.
git has pretty good signatures for tags. Maybe there's a way to leverage that for secure open source distribution.
What's the best way for open source projects to make it easy for their customers to get verified downloads? A lot of packages post MD5 checksums but no one tests them when downloading manually, do they? Automated signature checking on Debian packages seem to work better in practice; homebrew also verifies download checksums automatically.