No Excuses for No Signatures
Opinion: We all owe thanks to Peter Torr for bringing the issue of digitally signed downloads back to our attention. Microsoft loves them, but they make even more sense for open-source projects.Every now and then a real jewel comes out of the blogosphere. You hear about it when it happens, because everyone else links to it in their own blogs. I did this recently, linking to a blog entry by Peter Torr of Microsoft. Audacity sells, and Torr had the audacity to entitle his piece "How can I trust Firefox?" The bottom line of the article is thatunlike Microsoft downloads Firefox is not digitally signed. How can he be sure that the file he downloads is what it purports to be? Theres more to the post, some of it significant, but Id like to focus briefly on the signature part. For many, many years, Microsoft has supported digital signatures of files and other items such as ActiveX controls. What these signatures do is to allow a user to verify, with a very high degree of certainty, that a file is from who it purports to be from.
Firefox, needless to say, is not distributed with a signature, but Torr exposed many other weaknesses in the process for a user obtaining and installing it. Responding to an advertisement in the New York Times, he went to the advertised URL, www.getfirefox.com. This redirected him to www.mozilla.org/products/firefox, which makes a kind of sense. But the actual download proceeded from mirror.sg.depaul.edu. I just downloaded it myself and mine came from ftp.funet.fi.
- The iTunes setup program
- The Adobe Acrobat 6.0x setup program
- The ArgoSoft Mail Server setup program
- The AOL Instant Messenger setup program