8/15/2023 0 Comments Putty download chiark home page![]() The second-to-last point makes zero sense in this context. I say all of that less towards you and more generally in the context of this thread as you did point out "I am all for helping developers jump through the hoops they need to jump through, if they are willing". The fact that the developer continues to update/bug fix this program is amazing (as recently as "") and I worry about driving off a developer/contributor just because they didn't do a few things that probably don't interest them at all. I get that code-signing and HTTPS ARE important and probably needed for a tool like this but I think the question we should be asking is "How can we help get to that point?" and not "Why hasn't the developer done this already?!?!". To ask them to provide and maintain extra processes just seems a little wrong. Once they finish they upload it to github or some code-hosting platform as way to share the work they've done and contribute back into the community. They do it to scratch their own itch or to help someone else scratch theirs. I don't speak for all developers, obviously, but I'd wager a guess that most developers don't code (for OS at least) to "corner the market" or essentially become and run a mini-corporation (Twitter, Blog, Github, HTTPS, Code Signing, Website w/ Landing page, etc). I understand what you are saying about "Putty seeks to perform a security-critical function." and therefore it should take these things into account (in a perfect world). I'm not saying that either of these things are not important (they both are) but let's not jump down the dev's throat because they aren't giving up even more of their time on something they seen no return on. If you find code signing/HTTPS to be so important I suggest you do it yourself, the code is freely available and since it's under an MIT licence you can even SELL access to your code-signed and https-protected putty version. We are talking about a non-trivial amount of work over a month or more all so that people will stop bitching about the FREE and OPEN SOURCE product he is producing. Now he has to get a code signing cert (not a fast or easy process I would assume) and add that to the list of things he needs to do for each release. Lastly let's say he gets the money and takes care of the taxes and all of that. It's obvious the putty dev is not a designer (I don't say that to be mean) so I'm sure there would be people here on HN that would be all like "Ugh, this guy is asking for money and he can't take 2 minutes to make his funding site look halfway decent?" (Those people would be clarified as douches but that wouldn't stop them from making the comment nor the dev potentially reading them). Also while crowdfunding platforms have gotten really easy they still take effort and sometimes some sort of verification process. I know that sounds crazy but people taking donations have to declare that on their taxes and some people don't want to deal with that. No doubt but we all need to remember that sometimes accepting money is more trouble than it's worth. Someone with an Authenticode cert should compile it and then sign it and see if it still gets by the security vendors. I still have the Keystroke logger source code: There was a check-box somewhere to disable that, but long story short, I would not say that Authenitcode code signing is a big security benefit today. The real issue was that the security software trusted any code that was Authenticode signed and let it run no matter what. Their customers were then happy and felt safer as it was now 'detected'. Even though my software had been available for years, was code signed, came with full source code and was clearly labeled for educational purposes only, the security companies sent takedown notices to my ISP, placed my domain on DNS blacklists and 'fixed' the issue by declaring any exe signed by my Authenticode cert as malicious. Several years later, some customers of Zemena and Comodo complained that the keystroke detection/security software (that they had paid money for) did not detect my keystroke logging software. I wrote a proof of concept keystroke logger for Windows, then Authenticode signed it and made it available along with source code for others to experiment with and review. You mean Autenticode on Windows? I once had an Authenticode code signing cert that I used to sign Windows executables. ![]() ![]() "None of which would have mattered if Putty.exe was codesigned.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |