incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 20:35:20 GMT
Regardless of what Jane User knows, and we have 200 million Jane Users of Apache OpenOffice,
I think it would be helpful to have an Apache Download checker program/script that could be
run to confirm the bonafides.

An idea.

Regards,
Dave

> On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apache@gmail.com> wrote:
> 
> I know this. You know this. Joe User does not know this. I am trying to make Joe User’s
life easier.
> 
> Since SHA256 is sufficient for both purposes why does release policy MANDATE that projects
include an MD5?
> 
> Julian
> 
> 
>> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunning@gmail.com> wrote:
>> 
>> The checksum is not a tampering countermeasure.
>> 
>> It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits"
>> countermeasure.
>> 
>> 
>> 
>> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jhyde@apache.org> wrote:
>> 
>>> As security experts, you and I know that. But Joe User maybe only checks
>>> one digest.
>>> 
>>> (Aren’t we all Joe User sometimes?)
>>> 
>>> Julian
>>> 
>>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org>
>>> wrote:
>>>> 
>>>> On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:
>>>> 
>>>> After downloading artifacts, there are 3 things to check: (1) the
>>> download
>>>> is successful; (2) the artifacts were indeed created by the named author;
>>>> and (3) the artifacts have not been tampered with.
>>>> 
>>>> A security expert would know to use the .md5 for (1), the .asc for (2),
>>> and
>>>> the .sha256 or .sha512 for (3).
>>>> 
>>>> 
>>>> If there is a danger that the artifacts may be tampered with, there is an
>>>> equivalent danger that the checksum files will be tampered with, as well.
>>>> Checksums alone cannot be relied upon to verify an artifact hasn't been
>>>> altered.
>>>> 
>>>> Only the signature allows verification of authorship and integrity ...
>>>> assuming users have secure access to the corresponding public keys, and
>>>> that those keys are linked into the web of trust.
>>>> 
>>>> - Mike
>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>> 
>>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


Mime
View raw message