incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 18:30:26 GMT
On Aug 31, 2017 11:21, "Julian Hyde" <jhyde@apache.org> wrote:

After downloading artifacts, there are 3 things to check: (1) the download
is successful; (2) the artifacts were indeed created by the named author;
and (3) the artifacts have not been tampered with.

A security expert would know to use the .md5 for (1), the .asc for (2), and
the .sha256 or .sha512 for (3).


If there is a danger that the artifacts may be tampered with, there is an
equivalent danger that the checksum files will be tampered with, as well.
Checksums alone cannot be relied upon to verify an artifact hasn't been
altered.

Only the signature allows verification of authorship and integrity ...
assuming users have secure access to the corresponding public keys, and
that those keys are linked into the web of trust.

- Mike

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message