incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Dunning <ted.dunn...@gmail.com>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 20:17:31 GMT
The checksum is not a tampering countermeasure.

It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits"
countermeasure.



On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jhyde@apache.org> wrote:

> As security experts, you and I know that. But Joe User maybe only checks
> one digest.
>
> (Aren’t we all Joe User sometimes?)
>
> Julian
>
> > On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jumper@guac-dev.org>
> wrote:
> >
> > On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:
> >
> > After downloading artifacts, there are 3 things to check: (1) the
> download
> > is successful; (2) the artifacts were indeed created by the named author;
> > and (3) the artifacts have not been tampered with.
> >
> > A security expert would know to use the .md5 for (1), the .asc for (2),
> and
> > the .sha256 or .sha512 for (3).
> >
> >
> > If there is a danger that the artifacts may be tampered with, there is an
> > equivalent danger that the checksum files will be tampered with, as well.
> > Checksums alone cannot be relied upon to verify an artifact hasn't been
> > altered.
> >
> > Only the signature allows verification of authorship and integrity ...
> > assuming users have secure access to the corresponding public keys, and
> > that those keys are linked into the web of trust.
> >
> > - Mike
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message