-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, I am contacting you as a package maintainer of Parabola GNU/Linux-libre, a fully free operating system in compliance with the Free Software Foundation's GNU FSDG. We also have a focus on privacy and security.
We attempt to ensure that all of our packages and upstream are secure. As such I discovered a problem with your package "perl". http://www.cpan.org/src/5.0/ <-- from here There is currently no GPG signature to verify that the source is actually the one you have created. This is particularly important since there have been recent attacks which replaced files on upstream servers. Take for example the Linux Mint hack earlier this year. (https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/) I would like to request that you please upload a SHA512 checksum of your tar.gz files, as well as sign the SHA512 with a GPG signature. Releasing only a checksum does not prevent an attacker from uploading a modified copy and simply placing a new hash along with it. Technical documentation on how to do this: http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html sha512sum * > SHA512SUMS https://help.ubuntu.com/community/GnuPrivacyGuardHowto https://access.redhat.com/solutions/1541303 gpg --clearsign -o SHA512SUMS.sign SHA512SUMS The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be uploaded to your site (or on another site/server for added security), so that package maintainers can verify that the source is accurate and unhacked by a third-party prior to packaging. Thank you for your time and concern. Sincerely, Luke Parabola GNU/Linux-libre Packager -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYJ8PlAAoJEMP0/88+roaXk24P/RG6Oq75s71l7VSAJgehPnzi FdplFzPt8YQQdofZhCBw60sVbboZZ3NPGnSRKy9hNM4nP2dvGxB0ZOXR66z/tVSc 4tfZzvGbBoEXbG3UWsKizPqd2lL4iwycXdSBMJ8gW7n6q/1O5UVsQiRSHuu9JSX7 K+VTA6LvR4UOzkbpKw2ZhX2Jxm8IPfAsq8S4vD8fCUmN4yen8Hl6OjM45OluNCDn thrDzy4+yZOvb/he5m9kb6RxnjUT5+oUUoXR/HTD2tknUQMthESWVLJGb+oSCVzH 9nF8gkiW6QoFzLryjPxklEtrQsqbXim/Oj/z7G7xVwZSH8Fo9sS4VlPHv2Trv4Na 3i4XbiqajtTUGHLXTS/3SJ7Q+NVuTd1L6kxD+R+MQzyARzVpuJCokcj9s4wuPfiY 0Yw/bVAKGsfPR1LfiYh80qT83b6lBDzImc2T+3YUnghwBBxKBtzFv8Suo2gmTPk0 bu6SuRysLG2ZqzowQsH2uqOBNe1JAYpq+Oljawy0wiBK1cseKhsZEco6Yx6eTC6A 8ADsj2YNeqcg/Z9VMQyqI1SFAYZhwGJ4XIjygSm7k34lgvuXjEQ0p+Eej3mHRUNM zH6yGdDaRnSRGkOTdrhn4oPryi1mlIkUxOGTJDVv9CD9C/8grTMPL+jPI8VhYrLD TtGUvVyGIBRlgfcFAcoc =O0H0 -----END PGP SIGNATURE-----
