From: Christian Rebischke <Chris.Rebischke@archlinux.org>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: signed tarballs
Date: Thu, 13 Apr 2017 22:56:49 +0200 [thread overview]
Message-ID: <20170413205649.GA19785@motoko> (raw)
In-Reply-To: <CAFftDdovoD5zoRTtnDj39Jz0Wxej8a=+o_ftR-A4NN5AMu1yjQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 673 bytes --]
On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote:
> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.
The problem with providing only a SHA256 hash is that the hash was
provide via an insecure channel. I can't be sure that the hash is really
from him because he didn't even sign his mails. Someone could spoof his
mail or MITM in the webserver with the tarballs, etc etc..
The only secure way to ensure the original content of the tarball is via
signed tarballs signed by the developer.
Checksums and signed tarballs are totally two different things.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2017-04-13 20:56 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 23:31 signed tarballs Christian Rebischke
2017-04-07 1:27 ` William Roberts
2017-04-07 23:41 ` Christian Rebischke
2017-04-07 23:52 ` William Roberts
2017-04-08 12:53 ` Paul Moore
2017-04-10 18:51 ` Steve Grubb
2017-04-10 18:35 ` Steve Grubb
2017-04-11 10:44 ` Christian Rebischke
2017-04-11 14:03 ` Steve Grubb
2017-04-13 20:28 ` Christian Rebischke
2017-04-13 20:30 ` William Roberts
2017-04-13 20:43 ` Steve Grubb
2017-04-13 20:56 ` Christian Rebischke [this message]
2017-04-13 21:00 ` William Roberts
2017-04-13 21:05 ` Paul Moore
2017-04-13 21:08 ` William Roberts
2017-04-13 21:17 ` Paul Moore
2017-04-13 22:39 ` William Roberts
2017-04-13 21:22 ` Christian Rebischke
2017-04-13 22:45 ` William Roberts
2017-04-13 23:17 ` Steve Grubb
2017-04-13 22:25 ` Steve Grubb
2017-04-14 13:06 ` Paul Moore
2017-04-14 13:38 ` Steve Grubb
2017-04-14 23:03 ` Christian Rebischke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170413205649.GA19785@motoko \
--to=chris.rebischke@archlinux.org \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.