From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: signed tarballs
Date: Thu, 13 Apr 2017 16:43:58 -0400
Message-ID: <2130568.dMp5T6juCr@x2>
References: <20170406233134.GA32113@motoko> <20170413202811.GA18419@motoko>
	<CAFftDdovoD5zoRTtnDj39Jz0Wxej8a=+o_ftR-A4NN5AMu1yjQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAFftDdovoD5zoRTtnDj39Jz0Wxej8a=+o_ftR-A4NN5AMu1yjQ@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: William Roberts <bill.c.roberts@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, April 13, 2017 4:30:57 PM EDT William Roberts wrote:
> On Apr 13, 2017 13:28, "Christian Rebischke" <Chris.Rebischke@archlinux.org>
> wrote:
> 
> On Tue, Apr 11, 2017 at 10:03:54AM -0400, Steve Grubb wrote:
> > I added a sha256sum to the release announcement yesterday. You can also
> > access the people page via https.
> 
> Thanks, but as I stated before. SHA256 and https doesn't ensure a
> non-malicious tarball. Only a signed tarball can achieve this.
> 
> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.

Yeah, MD5 = collisions. SHA-1 = collisions. SHA-2 no known collisions. NIST 
found during the SHA-3 competition that SHA-2 was much more robust than 
previously thought.

-Steve