httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: [PATCH] roll.sh output equal checksum files independent of OS
Date Thu, 24 Sep 2009 21:42:49 GMT
On 24.09.2009 23:11, Guenter Knauf wrote:
> Hi,
> here's based on input from Rainer and RĂ¼diger my last trial unless I get
> further positive comments instead of disappointing ones ...
> highlighted:
> http://people.apache.org/~fuankg/testchecksum/testchecksums.sh.html
> plaintext:
> http://people.apache.org/~fuankg/testchecksum/testchecksums.sh.txt
> with .sh extension for download:
> http://people.apache.org/~fuankg/testchecksum/testchecksums.sh
> 
> tested on:
> - Linux (OpenSuSE) with openssl, gpg, md5sum / sha1sum
> - FreeBSD (p.a.o) with openssl and md5 / sha1

I like it.

> it will most likely also work correctly on MacOSX.
> 
> If there's acceptance, and we commit it, I will also write some lines to
> explain how to use the common spreaded checksum tools to verify tarballs
> which we can then either add to the download page; or better add a
> separate static html page, and link to it from download page.

One important note (and that's what Roy was saying): if users want to
really verify a download, they have to use the signature. That's pretty
well explained on the download page. We should not give users the
impression, a cheap "md5sum -c" is equally fine. Biggest difference:
checking the hash only ensures, that your local file fits to the md5
sum. If the server would be hacked, you wouldn't detect a compromised
download as long as the md5 was also compromised.

The signature check tells you, that the file is the one the guy with the
signature signed, and if you also verify whether that guy is in your web
of trust, then your download is safe (as long as the signing key is).

So I think we should not put much focus on explaining how to check ash,
but making it simpler is still nice.

Regards,

Rainer

Mime
View raw message