[Ham-Mac] Review of ARRL Trusted QSL (tqsl) version 1.14

Alan Bomberger ae7tu at waldenpond.com
Tue May 21 18:23:39 EDT 2013 

As a security guru and an Apple fan, I have to comment on Gatekeeper.

Gatekeeper security is very much like airline security; a sham.

The fact that someone paid $99 to Apple and got some level of
scrutiny does not in any way assure the customer that the signed
code isn't dangerous.  In fact it makes the customer complacent
in the same way that believing that frisking nuns makes you feel
safer on airplanes.

Application security is possible and sandboxing is a big step in
that direction.  It can be somewhat of a pain to the customer to have
to explicitly give applications access to the resources it needs,
but that is what you want in the end anyway.

With today's systems which are not capability based, you have to trust
the source of code and signatures won't help you make that decision.  The
signature only assures you that the stated source of the code is, in
fact, the source of the code, not whether it is safe or adheres to
security protocols.

Apple claims to review code submitted to the App Store so there is
a chance that applications purchased from the store are safer but
only to the extent that the reviewer is able to determine.

Let the arrows fly.


>Hi Jack,
>
>	I agree. I'll put in a message to the 
>developers about this. tqsl/tqslcert are written 
>entirely in C++ using the wxWidgets library, so 
>you're correct that they're not Cocoa at all. 
>But, an application doesn't need to be written 
>in Cocoa to be signed for Gatekeeper, as that is 
>done after the application is compiled into an 
>executable. It will require the ARRL to sign up 
>for a Mac developer account with Apple and pay 
>$99/year.
>
>73,
>Andrew AC7CF
>
>On May 20, 2013, at 8:57 PM, Jack Brindle <jackbrindle at me.com> wrote:
>
>>  There was one thing about the (non) release 
>>that absolutely amazed me. The Mac version was 
>>_not_ signed for distribution. In these 10.8+ 
>>days of Mac OS X, that is a must, especially 
>>for security application.
>>
>>  But it is not written in Cocoa eitherŠ
>>
>>  Jack B, W6FB
>>
>>
>>  On May 20, 2013, at 2:06 PM, Dick Kriss <aa5vu at arrl.net> wrote:
>>
>>>  On May 20th, I posted a review of the new 
>>>Trusted QSL version 1.14 on eHam but may have 
>>>messed up the upload.  The following is a copy
>>>
>>>  http://www.eham.net/reviews/review/119383
>>>
>>>  Over the 2013 Dayton Hamfest weekend, I was 
>>>able to download, install and use a preview of 
>>>the ARRL Trusted QSL (tqsl) version 1.14 from 
>>>http://sourceforge.net/projects/trustedqsl/files/TrustedQSL/v1.14/. 
>>>The page has versions for Windows, Linux and 
>>>Mac OS X. I only tested the OS X version. Per 
>>>the LoTW web page 
>>>http://www.arrl.org/logbook-of-the-world tqsl 
>>>v1.14 was scheduled to be available on May 20, 
>>>2013; however, this may slip 10 days to allow 
>>>time for some final tweaks.
>>>
>>>  When I was in the software business, the 
>>>golden rule for a new software release was a 
>>>new version should let the users do exactly 
>>>what they used to do but give them some 
>>>options to do some things different. For 
>>>existing ARRL LoTW users who are used to tqsl 
>>>v1.13, the updated Trusted QSL (tqsl) version 
>>>1.14 works just the same. When you launch the 
>>>new update, you will notice under the File 
>>>menu there are two user options:
>>>
>>>  The option to "Sign and save..." works the 
>>>same as used in tqsl version 1.13 where you 
>>>select the log file to be signed and the file 
>>>is saved in .tq8 format to your hard drive. 
>>>You then manually upload the digitally signed 
>>>.tq8 file to the server via the LoTW web page 
>>>or send the file as an attachment to an email 
>>>message address to .
>>>
>>>  The "Sign and uploadŠ" option is the new 
>>>addition. When you select the "Sign and 
>>>upload..." option, you select your log file 
>>>and the tqsl app applies your digital 
>>>signature and uploads the log to the LoTW 
>>>server all in one-step. This is a one-step 
>>>option should make LoTW easier to use for some 
>>>users.
>>>
>>>  I tried both options and they worked FB. I 
>>>feel sure there are a number of under-the-hood 
>>>improvements but the updated tqsl application 
>>>does what is expected. It applies your digital 
>>>signature to log files for upload to the LoTW 
>>>server.
>  >>
>>>  Check the ARRL LoTW page for availability the of Trusted QSL version 1.14.
>>>
>>>  73 Dick, AA5VU
>>>  Austin, Texas
>>>  _______________________________________________
>>>  CTDXCC mailing list
>>>  CTDXCC at kkn.net
>>>  http://www.kkn.net/mailman/listinfo/ctdxcc
>>>  ______________________________________________________________
>>>  Ham-Mac mailing list
>>>  Home: http://mailman.qth.net/mailman/listinfo/ham-mac
>>>  Help: http://mailman.qth.net/mmfaq.htm
>>>  Post: mailto:Ham-Mac at mailman.qth.net
>>>
>>>  This list hosted by: http://www.qsl.net
>>>  Please help support this email list: http://www.qsl.net/donate.html
>>
>>  ______________________________________________________________
>>  Ham-Mac mailing list
>>  Home: http://mailman.qth.net/mailman/listinfo/ham-mac
>>  Help: http://mailman.qth.net/mmfaq.htm
>>  Post: mailto:Ham-Mac at mailman.qth.net
>>
>>  This list hosted by: http://www.qsl.net
>>  Please help support this email list: http://www.qsl.net/donate.html
>
>______________________________________________________________
>Ham-Mac mailing list
>Home: http://mailman.qth.net/mailman/listinfo/ham-mac
>Help: http://mailman.qth.net/mmfaq.htm
>Post: mailto:Ham-Mac at mailman.qth.net
>
>This list hosted by: http://www.qsl.net
>Please help support this email list: http://www.qsl.net/donate.html


-- 
It is seldom that liberty of any kind is lost all at once. - David Hume
<http://www.waldenpond.com/Thinker> Hypertext editor for creative people.

More information about the Ham-Mac mailing list