incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <joes...@gmail.com>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 22:31:19 GMT
Henk's scripting does that and much more.

On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning <ted.dunning@gmail.com> wrote:

> I thought that gpg does that.
>
> On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher <dave2wave@comcast.net>
> wrote:
>
> > Regardless of what Jane User knows, and we have 200 million Jane Users of
> > Apache OpenOffice, I think it would be helpful to have an Apache Download
> > checker program/script that could be run to confirm the bonafides.
> >
> > An idea.
> >
> > Regards,
> > Dave
> >
> > > On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apache@gmail.com>
> wrote:
> > >
> > > I know this. You know this. Joe User does not know this. I am trying to
> > make Joe User’s life easier.
> > >
> > > Since SHA256 is sufficient for both purposes why does release policy
> > MANDATE that projects include an MD5?
> > >
> > > Julian
> > >b
> > >
> > >> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunning@gmail.com>
> wrote:
> > >>
> > >> The checksum is not a tampering countermeasure.
> > >>
> > >> It is a "mirror ran out of diskpace" or "IP checksums are only 32
> bits"
> > >> countermeasure.
> > >>
> > >>
> > >>
> > >> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jhyde@apache.org>
> wrote:
> > >>
> > >>> As security experts, you and I know that. But Joe User maybe only
> > checks
> > >>> one digest.
> > >>>
> > >>> (Aren’t we all Joe User sometimes?)
> > >>>
> > >>> Julian
> > >>>
> > >>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org
> >
> > >>> wrote:
> > >>>>
> > >>>> On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:
> > >>>>
> > >>>> After downloading artifacts, there are 3 things to check: (1) the
> > >>> download
> > >>>> is successful; (2) the artifacts were indeed created by the named
> > author;
> > >>>> and (3) the artifacts have not been tampered with.
> > >>>>
> > >>>> A security expert would know to use the .md5 for (1), the .asc
for
> > (2),
> > >>> and
> > >>>> the .sha256 or .sha512 for (3).
> > >>>>
> > >>>>
> > >>>> If there is a danger that the artifacts may be tampered with, there
> > is an
> > >>>> equivalent danger that the checksum files will be tampered with,
as
> > well.
> > >>>> Checksums alone cannot be relied upon to verify an artifact hasn't
> > been
> > >>>> altered.
> > >>>>
> > >>>> Only the signature allows verification of authorship and integrity
> ...
> > >>>> assuming users have secure access to the corresponding public keys,
> > and
> > >>>> that those keys are linked into the web of trust.
> > >>>>
> > >>>> - Mike
> > >>>
> > >>>
> > >>> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > >>> For additional commands, e-mail: general-help@incubator.apache.org
> > >>>
> > >>>
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > > For additional commands, e-mail: general-help@incubator.apache.org
> > >
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message