incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Hyde <jh...@apache.org>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 18:35:34 GMT
As security experts, you and I know that. But Joe User maybe only checks one digest.

(Aren’t we all Joe User sometimes?)

Julian

> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org> wrote:
> 
> On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:
> 
> After downloading artifacts, there are 3 things to check: (1) the download
> is successful; (2) the artifacts were indeed created by the named author;
> and (3) the artifacts have not been tampered with.
> 
> A security expert would know to use the .md5 for (1), the .asc for (2), and
> the .sha256 or .sha512 for (3).
> 
> 
> If there is a danger that the artifacts may be tampered with, there is an
> equivalent danger that the checksum files will be tampered with, as well.
> Checksums alone cannot be relied upon to verify an artifact hasn't been
> altered.
> 
> Only the signature allows verification of authorship and integrity ...
> assuming users have secure access to the corresponding public keys, and
> that those keys are linked into the web of trust.
> 
> - Mike


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message