From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: signed tarballs
Date: Thu, 13 Apr 2017 18:25:06 -0400 [thread overview]
Message-ID: <5856507.yEgrJDtUAW@x2> (raw)
In-Reply-To: <CAHC9VhSyZG2CKZAX=ZYpiMbyDqbLQKhm+3-Vm1WJkL0CjRvhyA@mail.gmail.com>
On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
>
> <bill.c.roberts@gmail.com> wrote:
> > Isn't the hash on the https people's page?
No, its on the mail list. The mail list is moderated. Only a handful of people
could post a spoofed message.
> > Which last time I looked wasnt throwing cert errors in chrome.
>
> Unless Steve has exclusive administrative access to people.redhat.com
> (I think it is safe to say he does not, but correct me if I'm wrong
> Steve <b>)
Nope.
> you can't trust an unsigned checksum regardless of how
> strong the https cert/crypto as the web admin could still tamper with
> the data.
They would have to go tamper with the mail list where all the hashes are
publicly disclosed, too. There are multiple mail list archives. Then they
would have to post the tampered tarball to the Fedora Build System which also
publicly discloses hashs. And the Fedora Build System requires several
identity checks to check it in and it maintains a log.
You might get one, but you can't get them all. I'd say just a simple check of
the hash would catch most problems. If not, then I'd trust what's in Fedora
over the people page.
-Steve
next prev parent reply other threads:[~2017-04-13 22:25 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 23:31 signed tarballs Christian Rebischke
2017-04-07 1:27 ` William Roberts
2017-04-07 23:41 ` Christian Rebischke
2017-04-07 23:52 ` William Roberts
2017-04-08 12:53 ` Paul Moore
2017-04-10 18:51 ` Steve Grubb
2017-04-10 18:35 ` Steve Grubb
2017-04-11 10:44 ` Christian Rebischke
2017-04-11 14:03 ` Steve Grubb
2017-04-13 20:28 ` Christian Rebischke
2017-04-13 20:30 ` William Roberts
2017-04-13 20:43 ` Steve Grubb
2017-04-13 20:56 ` Christian Rebischke
2017-04-13 21:00 ` William Roberts
2017-04-13 21:05 ` Paul Moore
2017-04-13 21:08 ` William Roberts
2017-04-13 21:17 ` Paul Moore
2017-04-13 22:39 ` William Roberts
2017-04-13 21:22 ` Christian Rebischke
2017-04-13 22:45 ` William Roberts
2017-04-13 23:17 ` Steve Grubb
2017-04-13 22:25 ` Steve Grubb [this message]
2017-04-14 13:06 ` Paul Moore
2017-04-14 13:38 ` Steve Grubb
2017-04-14 23:03 ` Christian Rebischke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5856507.yEgrJDtUAW@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox