incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Digests in releases
Date Fri, 01 Sep 2017 02:36:34 GMT
Hey Joe,

Thanks for the pointer. I think Henk needs to be involved.

Regards,
Dave

Sent from my iPhone

> On Aug 31, 2017, at 3:31 PM, Joe Schaefer <joesuf4@gmail.com> wrote:
> 
> Henk's scripting does that and much more.
> 
>> On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning <ted.dunning@gmail.com> wrote:
>> 
>> I thought that gpg does that.
>> 
>> On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher <dave2wave@comcast.net>
>> wrote:
>> 
>>> Regardless of what Jane User knows, and we have 200 million Jane Users of
>>> Apache OpenOffice, I think it would be helpful to have an Apache Download
>>> checker program/script that could be run to confirm the bonafides.
>>> 
>>> An idea.
>>> 
>>> Regards,
>>> Dave
>>> 
>>>> On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apache@gmail.com>
>> wrote:
>>>> 
>>>> I know this. You know this. Joe User does not know this. I am trying to
>>> make Joe User’s life easier.
>>>> 
>>>> Since SHA256 is sufficient for both purposes why does release policy
>>> MANDATE that projects include an MD5?
>>>> 
>>>> Julian
>>>> b
>>>> 
>>>>> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunning@gmail.com>
>> wrote:
>>>>> 
>>>>> The checksum is not a tampering countermeasure.
>>>>> 
>>>>> It is a "mirror ran out of diskpace" or "IP checksums are only 32
>> bits"
>>>>> countermeasure.
>>>>> 
>>>>> 
>>>>> 
>>>>> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jhyde@apache.org>
>> wrote:
>>>>> 
>>>>>> As security experts, you and I know that. But Joe User maybe only
>>> checks
>>>>>> one digest.
>>>>>> 
>>>>>> (Aren’t we all Joe User sometimes?)
>>>>>> 
>>>>>> Julian
>>>>>> 
>>>>>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org
>>> 
>>>>>> wrote:
>>>>>>> 
>>>>>>> On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org>
wrote:
>>>>>>> 
>>>>>>> After downloading artifacts, there are 3 things to check: (1)
the
>>>>>> download
>>>>>>> is successful; (2) the artifacts were indeed created by the named
>>> author;
>>>>>>> and (3) the artifacts have not been tampered with.
>>>>>>> 
>>>>>>> A security expert would know to use the .md5 for (1), the .asc
for
>>> (2),
>>>>>> and
>>>>>>> the .sha256 or .sha512 for (3).
>>>>>>> 
>>>>>>> 
>>>>>>> If there is a danger that the artifacts may be tampered with,
there
>>> is an
>>>>>>> equivalent danger that the checksum files will be tampered with,
as
>>> well.
>>>>>>> Checksums alone cannot be relied upon to verify an artifact hasn't
>>> been
>>>>>>> altered.
>>>>>>> 
>>>>>>> Only the signature allows verification of authorship and integrity
>> ...
>>>>>>> assuming users have secure access to the corresponding public
keys,
>>> and
>>>>>>> that those keys are linked into the web of trust.
>>>>>>> 
>>>>>>> - Mike
>>>>>> 
>>>>>> 
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>>>> 
>>>>>> 
>>>> 
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>> 
>>> 
>>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message