Regardless of what Jane User knows, and we have 200 million Jane Users of Apache OpenOffice, I think it would be helpful to have an Apache Download checker program/script that could be run to confirm the bonafides.
An idea. Regards, Dave > On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apa...@gmail.com> wrote: > > I know this. You know this. Joe User does not know this. I am trying to make > Joe User’s life easier. > > Since SHA256 is sufficient for both purposes why does release policy MANDATE > that projects include an MD5? > > Julian > > >> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunn...@gmail.com> wrote: >> >> The checksum is not a tampering countermeasure. >> >> It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits" >> countermeasure. >> >> >> >> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jh...@apache.org> wrote: >> >>> As security experts, you and I know that. But Joe User maybe only checks >>> one digest. >>> >>> (Aren’t we all Joe User sometimes?) >>> >>> Julian >>> >>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jum...@guac-dev.org> >>> wrote: >>>> >>>> On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote: >>>> >>>> After downloading artifacts, there are 3 things to check: (1) the >>> download >>>> is successful; (2) the artifacts were indeed created by the named author; >>>> and (3) the artifacts have not been tampered with. >>>> >>>> A security expert would know to use the .md5 for (1), the .asc for (2), >>> and >>>> the .sha256 or .sha512 for (3). >>>> >>>> >>>> If there is a danger that the artifacts may be tampered with, there is an >>>> equivalent danger that the checksum files will be tampered with, as well. >>>> Checksums alone cannot be relied upon to verify an artifact hasn't been >>>> altered. >>>> >>>> Only the signature allows verification of authorship and integrity ... >>>> assuming users have secure access to the corresponding public keys, and >>>> that those keys are linked into the web of trust. >>>> >>>> - Mike >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>> For additional commands, e-mail: general-h...@incubator.apache.org >>> >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org >
signature.asc
Description: Message signed with OpenPGP
