Em dezembro 2, 2016 11:18 NicoHood escreveu:
The signature itself is only a signed hash (sha256). So we do rely on the collision resistance of sha256[1] (or whatever the GPG itself uses). You are right, that hashes themselves are not enough to verify that the original author provided this source. But it gives you the guarantee that you downloaded the same source, as the maintainer(PKGBUILD writer) did.
GPG uses DSA[0]. And the signatures done using GPG are done in a way that requires a key pair on the part of the person doing the signature. The link you sent demonstrate precisely that. They are much more than simple hashes.
That is what integrity is all about, that is not only a checksum! The weakest spot though is the initial fetching of the source on which the maintainer relies on. However with strong hashes you can at least ensure that you (for a rebuild) download the exact same sources, as the maintainer did. You just cannot prove who published that source itself. Saying sha256 is not secure enough for that purpose would also say GPG is not safe.
I'm not saying that sha256 is not secure enough for that purpose. I'm saying that for *maintainers* it is not enough. There's a difference, it's subtle, but it is there nevertheless. We replace upstream trust with our own. So we must be sure that we're packaging from the right upstream source, even if said source can't be obtained securely, nor does it has proper hashes or not even TLS.
Correct me if I am wrong though. I'd be also nice to discuss this in the email I recently opened and not in the TU Application. I think this is a highly important topic, especially for those packages where we do not have gpg and https available and you can only rely on the hash that the maintainer gave out (AUR).
Sure, lets discuss that. But I think we already, even if informally, agreed that using TLS were available is better than not. I'll stop deviating from the purpose of the TU application discussion. Baptiste, you fixed what we suggested, and that's ok by me. Cheers, Giancarlo Razzolini [0] https://www.gnupg.org/gph/en/manual.html#AEN216
pgpVZVca2vPFH.pgp
Description: PGP signature
