incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Hyde <jhyde.apa...@gmail.com>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 20:22:20 GMT
I know this. You know this. Joe User does not know this. I am trying to make Joe User’s life
easier.

Since SHA256 is sufficient for both purposes why does release policy MANDATE that projects
include an MD5?

Julian


> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunning@gmail.com> wrote:
> 
> The checksum is not a tampering countermeasure.
> 
> It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits"
> countermeasure.
> 
> 
> 
> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jhyde@apache.org> wrote:
> 
>> As security experts, you and I know that. But Joe User maybe only checks
>> one digest.
>> 
>> (Aren’t we all Joe User sometimes?)
>> 
>> Julian
>> 
>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org>
>> wrote:
>>> 
>>> On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:
>>> 
>>> After downloading artifacts, there are 3 things to check: (1) the
>> download
>>> is successful; (2) the artifacts were indeed created by the named author;
>>> and (3) the artifacts have not been tampered with.
>>> 
>>> A security expert would know to use the .md5 for (1), the .asc for (2),
>> and
>>> the .sha256 or .sha512 for (3).
>>> 
>>> 
>>> If there is a danger that the artifacts may be tampered with, there is an
>>> equivalent danger that the checksum files will be tampered with, as well.
>>> Checksums alone cannot be relied upon to verify an artifact hasn't been
>>> altered.
>>> 
>>> Only the signature allows verification of authorship and integrity ...
>>> assuming users have secure access to the corresponding public keys, and
>>> that those keys are linked into the web of trust.
>>> 
>>> - Mike
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message