Henk's scripting does that and much more. On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning <ted.dunn...@gmail.com> wrote:
> I thought that gpg does that. > > On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher <dave2w...@comcast.net> > wrote: > > > Regardless of what Jane User knows, and we have 200 million Jane Users of > > Apache OpenOffice, I think it would be helpful to have an Apache Download > > checker program/script that could be run to confirm the bonafides. > > > > An idea. > > > > Regards, > > Dave > > > > > On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apa...@gmail.com> > wrote: > > > > > > I know this. You know this. Joe User does not know this. I am trying to > > make Joe User’s life easier. > > > > > > Since SHA256 is sufficient for both purposes why does release policy > > MANDATE that projects include an MD5? > > > > > > Julian > > >b > > > > > >> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunn...@gmail.com> > wrote: > > >> > > >> The checksum is not a tampering countermeasure. > > >> > > >> It is a "mirror ran out of diskpace" or "IP checksums are only 32 > bits" > > >> countermeasure. > > >> > > >> > > >> > > >> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jh...@apache.org> > wrote: > > >> > > >>> As security experts, you and I know that. But Joe User maybe only > > checks > > >>> one digest. > > >>> > > >>> (Aren’t we all Joe User sometimes?) > > >>> > > >>> Julian > > >>> > > >>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jum...@guac-dev.org > > > > >>> wrote: > > >>>> > > >>>> On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote: > > >>>> > > >>>> After downloading artifacts, there are 3 things to check: (1) the > > >>> download > > >>>> is successful; (2) the artifacts were indeed created by the named > > author; > > >>>> and (3) the artifacts have not been tampered with. > > >>>> > > >>>> A security expert would know to use the .md5 for (1), the .asc for > > (2), > > >>> and > > >>>> the .sha256 or .sha512 for (3). > > >>>> > > >>>> > > >>>> If there is a danger that the artifacts may be tampered with, there > > is an > > >>>> equivalent danger that the checksum files will be tampered with, as > > well. > > >>>> Checksums alone cannot be relied upon to verify an artifact hasn't > > been > > >>>> altered. > > >>>> > > >>>> Only the signature allows verification of authorship and integrity > ... > > >>>> assuming users have secure access to the corresponding public keys, > > and > > >>>> that those keys are linked into the web of trust. > > >>>> > > >>>> - Mike > > >>> > > >>> > > >>> --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > >>> For additional commands, e-mail: general-h...@incubator.apache.org > > >>> > > >>> > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > >
