incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Dunning <ted.dunn...@gmail.com>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 21:08:31 GMT
I thought that gpg does that.

On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher <dave2wave@comcast.net> wrote:

> Regardless of what Jane User knows, and we have 200 million Jane Users of
> Apache OpenOffice, I think it would be helpful to have an Apache Download
> checker program/script that could be run to confirm the bonafides.
>
> An idea.
>
> Regards,
> Dave
>
> > On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apache@gmail.com> wrote:
> >
> > I know this. You know this. Joe User does not know this. I am trying to
> make Joe User’s life easier.
> >
> > Since SHA256 is sufficient for both purposes why does release policy
> MANDATE that projects include an MD5?
> >
> > Julian
> >
> >
> >> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunning@gmail.com> wrote:
> >>
> >> The checksum is not a tampering countermeasure.
> >>
> >> It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits"
> >> countermeasure.
> >>
> >>
> >>
> >> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jhyde@apache.org> wrote:
> >>
> >>> As security experts, you and I know that. But Joe User maybe only
> checks
> >>> one digest.
> >>>
> >>> (Aren’t we all Joe User sometimes?)
> >>>
> >>> Julian
> >>>
> >>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org>
> >>> wrote:
> >>>>
> >>>> On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:
> >>>>
> >>>> After downloading artifacts, there are 3 things to check: (1) the
> >>> download
> >>>> is successful; (2) the artifacts were indeed created by the named
> author;
> >>>> and (3) the artifacts have not been tampered with.
> >>>>
> >>>> A security expert would know to use the .md5 for (1), the .asc for
> (2),
> >>> and
> >>>> the .sha256 or .sha512 for (3).
> >>>>
> >>>>
> >>>> If there is a danger that the artifacts may be tampered with, there
> is an
> >>>> equivalent danger that the checksum files will be tampered with, as
> well.
> >>>> Checksums alone cannot be relied upon to verify an artifact hasn't
> been
> >>>> altered.
> >>>>
> >>>> Only the signature allows verification of authorship and integrity ...
> >>>> assuming users have secure access to the corresponding public keys,
> and
> >>>> that those keys are linked into the web of trust.
> >>>>
> >>>> - Mike
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> >>> For additional commands, e-mail: general-help@incubator.apache.org
> >>>
> >>>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message