felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olaf Kock (JIRA)" <j...@apache.org>
Subject [jira] Commented: (FELIX-726) MD5 checksum handling issue with Felix download pages/mirrors
Date Sun, 21 Dec 2008 16:20:44 GMT

    [ https://issues.apache.org/jira/browse/FELIX-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658394#action_12658394

Olaf Kock commented on FELIX-726:

Is there anything I can do in order to raise sensitivity for this issue? It's basically opening
felix downloads to compromized servers - not that it will over all stay undetected, but linking
the MD5 sums to the mirror servers does enable attackers to compromize a mirror server, provide
their own changed version of felix together with their own MD5 checksum.

It's not that much a change - the download links would just need to point to the apache site
instead of the mirrors for the MD5sums. Or get rid of MD5 completely and just use kryptographic
signatures (asc), though these are probably not as easy to handle for everybody and thus this
would lower security again...

> MD5 checksum handling issue with Felix download pages/mirrors
> -------------------------------------------------------------
>                 Key: FELIX-726
>                 URL: https://issues.apache.org/jira/browse/FELIX-726
>             Project: Felix
>          Issue Type: Bug
>         Environment: http://felix.apache.org/site/downloads.cgi
>            Reporter: Olaf Kock
> Hi there,
> I understand MD5 checksums as means to detect if the file that I've just downloaded is
a) complete and b) the one I expected to download. While I never check a) unless I get an
error unpacking, b) is very important.
> As Apache is relying heavily on mirrors, I'd like to have to trust Apache but I can't
trust every mirror server. As the MD5 sums that are linked on the download server point to
the mirrors themselves, this is of no value. I'd rather like them to point to the central
Apache server. The few bytes for the checksums shouldn't matter much.
> Compromised mirrors would make it easy to exchange the downloaded file together with
their MD5 sum - this would be somewhat more difficult to discover than getting the MD5 from
an authoritative source.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message