On 25 January 2018 at 17:07, Henk P. Penning <penn...@uu.nl> wrote: > On Thu, 25 Jan 2018, sebb wrote: > >> Date: Thu, 25 Jan 2018 11:15:10 +0100 >> From: sebb <seb...@gmail.com> >> To: dev@community.apache.org >> Subject: Re: Feedback on dist health checker (was: [jira] [Commented] >> (COMDEV-248) add /dist/ health issues) > > >>> KEYS files aren't necessary to verify a download ; see >>> https://checker.apache.org/dist/verify.html >> >> >> That uses the SHA-1 hash which is known to be insecure. >> It may only be easy to forge for PDFs and images at present, but that >> will change. > > > When it changes, we can switch to SHA-256 in no time, > without any impact for the PMC's. > >>> For example [good and bad] : >>> >>> >>> https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf38.html >>> >>> >>> https://checker.apache.org/sums/8347323be17d484be69b9fb094bf110993c66c39.html >> >> >> It's not immediately obvious that the download is bad, >> nor what to do about it. > > > It seems you don't understand the magic ; a 'bad' download > results in a 'bad' checksum ; right?
Yes, I understand that. However I have worked with sigs and hashes for a while. > For example [change the last digit in the first example ; 38. -> 30. ] : > > https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf30.html Yes. I know. However what is the average user to make of the page: https://checker.apache.org/sums/8347323be17d484be69b9fb094bf110993c66c39.html This presents a huge amount of information, almost all of which will mean nothing to most people. >>> >>> https://checker.apache.org/sums/4a23503e9c272eed58c86046a8da737866cd1aff.html >> >> >> No idea why some of those have a verify section and some not. > > > A 'verify-section' is shown, if the project has deployed a META file, > and the object can be verified. > > See https://checker.apache.org/doc/README.html#ch-meta In which case the pages without the META file should probably indicate that verification was not possible. == I think there are several potential consumers of the pages. - people familiar with sigs and hashes who want/need all the detail - release managers and devs who need to know what to fix - general public who just want to verify a download > Regards, > > Henk Penning > > > ------------------------------------------------------------ _ > Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ > Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ > Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/ > http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
