Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 6:32 PM, William Stein wrote: > > On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier > wrote: >> >> During the >> [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) >> of the inclusion of OpenSSL, a few remarks were mafdeabout the security

Re: [sage-devel] Sagemath mirrors security issues

There are various downloads that we need to consider: (A) Downloads of Sage-the-distribution source/binary tarballs (B) Cloning the git repo (C) Downloading tarballs while building from the git repo I think that (A) should be our primary worry, since those are usually not checked by anybody. Fo

Re: [sage-devel] Sagemath mirrors security issues

Serving over https is very easy nowadays, thanks to letsencrypt. Nonetheless, it may take some time for all mirrors to switch to it. Switching to sha-256 hashes is a much more trivial change, which can be rolled out almost overnight. In the same vein, on the download page only md5 hashes are list

Re: [sage-devel] Sagemath mirrors security issues

On 10/25/2017 04:29 PM, Emmanuel Charpentier wrote: > Ouch ! The security proble so well explained by William turns out to be > a much larger "social" problem... > > Worth atacking ? > Not really... you can get commit access to sage.git by asking nicely. Ultimately, HTTPS is pointless unless yo

Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 1:29 PM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Ouch ! The security proble so well explained by William turns out to be a > much larger "social" problem... > > > Worth attacking ? > I think it's better to think of computer security as being about a

Re: [sage-devel] Sagemath mirrors security issues

Ouch ! The security proble so well explained by William turns out to be a much larger "social" problem... Worth atacking ? -- Emmanuel Charpentier Le mercredi 25 octobre 2017 21:45:37 UTC+2, Volker Braun a écrit : > > Pretty much anybody can host a download mirror by sending Harald an email, >

Re: [sage-devel] Sagemath mirrors security issues

Pretty much anybody can host a download mirror by sending Harald an email, so requiring https to download files doesn't mean much. On Wednesday, October 25, 2017 at 6:32:26 PM UTC+2, William wrote: > > > On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < > emanuel.c...@gmail.com > wrote: >

Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > During the [discussion]( > https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of > the inclusion of OpenSSL, a few remarks were mafdeabout the security of our > distribution infrastruct

Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 6:12 PM, Emmanuel Charpentier wrote: > During the > [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) > of the inclusion of OpenSSL, a few remarks were mafdeabout the security of > our distribution infrastructure. > > > It has been noted that

[sage-devel] Sagemath mirrors security issues

During the [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of the inclusion of OpenSSL, a few remarks were mafdeabout the security of our distribution infrastructure. It has been noted that http is ridiculously easy to hijack