Hey Joe, Thanks for the pointer. I think Henk needs to be involved.
Regards, Dave Sent from my iPhone > On Aug 31, 2017, at 3:31 PM, Joe Schaefer <joes...@gmail.com> wrote: > > Henk's scripting does that and much more. > >> On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning <ted.dunn...@gmail.com> wrote: >> >> I thought that gpg does that. >> >> On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher <dave2w...@comcast.net> >> wrote: >> >>> Regardless of what Jane User knows, and we have 200 million Jane Users of >>> Apache OpenOffice, I think it would be helpful to have an Apache Download >>> checker program/script that could be run to confirm the bonafides. >>> >>> An idea. >>> >>> Regards, >>> Dave >>> >>>> On Aug 31, 2017, at 1:22 PM, Julian Hyde <jhyde.apa...@gmail.com> >> wrote: >>>> >>>> I know this. You know this. Joe User does not know this. I am trying to >>> make Joe User’s life easier. >>>> >>>> Since SHA256 is sufficient for both purposes why does release policy >>> MANDATE that projects include an MD5? >>>> >>>> Julian >>>> b >>>> >>>>> On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunn...@gmail.com> >> wrote: >>>>> >>>>> The checksum is not a tampering countermeasure. >>>>> >>>>> It is a "mirror ran out of diskpace" or "IP checksums are only 32 >> bits" >>>>> countermeasure. >>>>> >>>>> >>>>> >>>>> On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jh...@apache.org> >> wrote: >>>>> >>>>>> As security experts, you and I know that. But Joe User maybe only >>> checks >>>>>> one digest. >>>>>> >>>>>> (Aren’t we all Joe User sometimes?) >>>>>> >>>>>> Julian >>>>>> >>>>>>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jum...@guac-dev.org >>> >>>>>> wrote: >>>>>>> >>>>>>> On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote: >>>>>>> >>>>>>> After downloading artifacts, there are 3 things to check: (1) the >>>>>> download >>>>>>> is successful; (2) the artifacts were indeed created by the named >>> author; >>>>>>> and (3) the artifacts have not been tampered with. >>>>>>> >>>>>>> A security expert would know to use the .md5 for (1), the .asc for >>> (2), >>>>>> and >>>>>>> the .sha256 or .sha512 for (3). >>>>>>> >>>>>>> >>>>>>> If there is a danger that the artifacts may be tampered with, there >>> is an >>>>>>> equivalent danger that the checksum files will be tampered with, as >>> well. >>>>>>> Checksums alone cannot be relied upon to verify an artifact hasn't >>> been >>>>>>> altered. >>>>>>> >>>>>>> Only the signature allows verification of authorship and integrity >> ... >>>>>>> assuming users have secure access to the corresponding public keys, >>> and >>>>>>> that those keys are linked into the web of trust. >>>>>>> >>>>>>> - Mike >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>>>>> For additional commands, e-mail: general-h...@incubator.apache.org >>>>>> >>>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>>> For additional commands, e-mail: general-h...@incubator.apache.org >>>> >>> >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
