Joe Armstrong (AL/EAB)
Mon Feb 21 11:49:00 CET 2005
> On 18 Feb 2005, at 13:30, Thomas Lindgren wrote:
> > --- Vlad Dumitrescu <vlad_dumitrescu@REDACTED>
> > wrote:
> >> I'd like to suggest another variant: in a LAN
> >> environment, the libraries might
> >> be made available via the network. Not for download,
> >> but for the code loader.
> > You can always try "erl -loader inet -hosts ...".
> > (I hasten to say I never have :-)
> > Though the problem with internet scale deployment
> > would really be whether you can trust the code you are
> > loading, as mentioned to me yesterday by someone who
> > shall only be known as "Sean".
But surely this is easily solved :-)
Let's suppose "joe" was the origonal creater of a program.
Joe compiles his public key into the distribution.
Vlad downloads Joe's code.
Vlad gets an update from somebody claiming to be joe it is signed with
joe's private key. Vlad can now test that the update to the program and
the origonal were signed with the same private key.
Thus the update is at least as secure as the origonal. So if you trust the origonal
you should also trust the update.
The code for this is in the section marked
RSA in http://www.erlang.org/examples/examples-2.0.html
and the code to do this is in http://www.erlang.org/examples/examples-2.0.tgz
> Well, Sean might also have said that this was a solution to a
> non-existing problem - no-one cares about typical application size
> downloads these days.
More information about the erlang-questions