On Thu, 25 Jan 2018, sebb wrote:
Date: Thu, 25 Jan 2018 11:15:10 +0100
From: sebb <seb...@gmail.com>
To: dev@community.apache.org
Subject: Re: Feedback on dist health checker (was: [jira] [Commented]
(COMDEV-248) add /dist/ health issues)
KEYS files aren't necessary to verify a download ; see
https://checker.apache.org/dist/verify.html
That uses the SHA-1 hash which is known to be insecure.
It may only be easy to forge for PDFs and images at present, but that
will change.
When it changes, we can switch to SHA-256 in no time,
without any impact for the PMC's.
For example [good and bad] :
https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf38.html
https://checker.apache.org/sums/8347323be17d484be69b9fb094bf110993c66c39.html
It's not immediately obvious that the download is bad,
nor what to do about it.
It seems you don't understand the magic ; a 'bad' download
results in a 'bad' checksum ; right?
For example [change the last digit in the first example ; 38. -> 30. ] :
https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf30.html
https://checker.apache.org/sums/4a23503e9c272eed58c86046a8da737866cd1aff.html
No idea why some of those have a verify section and some not.
A 'verify-section' is shown, if the project has deployed a META file,
and the object can be verified.
See https://checker.apache.org/doc/README.html#ch-meta
Regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org
