community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <penn...@uu.nl>
Subject Re: Feedback on dist health checker (was: [jira] [Commented] (COMDEV-248) add /dist/ health issues)
Date Thu, 25 Jan 2018 17:07:33 GMT
On Thu, 25 Jan 2018, sebb wrote:

> Date: Thu, 25 Jan 2018 11:15:10 +0100
> From: sebb <sebbaz@gmail.com>
> To: dev@community.apache.org
> Subject: Re: Feedback on dist health checker (was: [jira] [Commented]
>     (COMDEV-248) add /dist/ health issues)

>>   KEYS files aren't necessary to verify a download ; see
>>     https://checker.apache.org/dist/verify.html
>
> That uses the SHA-1 hash which is known to be insecure.
> It may only be easy to forge for PDFs and images at present, but that
> will change.

   When it changes, we can switch to SHA-256 in no time,
   without any impact for the PMC's.

>>   For example [good and bad] :
>>
>> https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf38.html
>>
>> https://checker.apache.org/sums/8347323be17d484be69b9fb094bf110993c66c39.html
>
> It's not immediately obvious that the download is bad,
> nor what to do about it.

   It seems you don't understand the magic ; a 'bad' download
   results in a 'bad' checksum ; right?
   For example [change the last digit in the first example ; 38. -> 30. ] :

https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf30.html

>> https://checker.apache.org/sums/4a23503e9c272eed58c86046a8da737866cd1aff.html
>
> No idea why some of those have a verify section and some not.

   A 'verify-section' is shown, if the project has deployed a META file,
   and the object can be verified.

   See https://checker.apache.org/doc/README.html#ch-meta

   Regards,

   Henk Penning

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org


Mime
View raw message