Mon Feb 21 12:15:48 CET 2005
--- "Joe Armstrong (AL/EAB)"
> But surely this is easily solved :-)
> Let's suppose "joe" was the origonal creater of a
> Joe compiles his public key into the distribution.
Sure, issue a certificate, sign the modules, and
package them up like your garden variety conscientous
tar package. However, I don't believe this is
supported in the actual Erlang distribution. E.g., the
compiler does not generate an appropriate hash,
systools and .rel/.app/... do not support it, and
erl_prim_loader does not verify such signatures.
But maybe someone could add it?
Bytecode verification could also ensure that your code
is not doing disreputable things. (Though Erlang has a
lot of holes in that regard.)
An even safer option is certifying the actual code
(proof-carrying code); you don't even have to trust
the word of the originator. I'm not sure PCC is mature
enough yet, though.
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
More information about the erlang-questions