I thought that gpg does that. On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher <dave2w...@comcast.net> wrote:
> Regardless of what Jane User knows, and we have 200 million Jane Users of > Apache OpenOffice, I think it would be helpful to have an Apache Download > checker program/script that could be run to confirm the bonafides. > > An idea. > > Regards, > Dave > > > On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apa...@gmail.com> wrote: > > > > I know this. You know this. Joe User does not know this. I am trying to > make Joe User’s life easier. > > > > Since SHA256 is sufficient for both purposes why does release policy > MANDATE that projects include an MD5? > > > > Julian > > > > > >> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunn...@gmail.com> wrote: > >> > >> The checksum is not a tampering countermeasure. > >> > >> It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits" > >> countermeasure. > >> > >> > >> > >> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jh...@apache.org> wrote: > >> > >>> As security experts, you and I know that. But Joe User maybe only > checks > >>> one digest. > >>> > >>> (Aren’t we all Joe User sometimes?) > >>> > >>> Julian > >>> > >>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jum...@guac-dev.org> > >>> wrote: > >>>> > >>>> On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote: > >>>> > >>>> After downloading artifacts, there are 3 things to check: (1) the > >>> download > >>>> is successful; (2) the artifacts were indeed created by the named > author; > >>>> and (3) the artifacts have not been tampered with. > >>>> > >>>> A security expert would know to use the .md5 for (1), the .asc for > (2), > >>> and > >>>> the .sha256 or .sha512 for (3). > >>>> > >>>> > >>>> If there is a danger that the artifacts may be tampered with, there > is an > >>>> equivalent danger that the checksum files will be tampered with, as > well. > >>>> Checksums alone cannot be relied upon to verify an artifact hasn't > been > >>>> altered. > >>>> > >>>> Only the signature allows verification of authorship and integrity ... > >>>> assuming users have secure access to the corresponding public keys, > and > >>>> that those keys are linked into the web of trust. > >>>> > >>>> - Mike > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > >>> For additional commands, e-mail: general-h...@incubator.apache.org > >>> > >>> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > >
