[Freeipa-devel] [SSSD] SSSD Release Process
Stephen John Smoogen
smooge at gmail.com
Fri Jun 19 17:27:07 UTC 2009
On Fri, Jun 19, 2009 at 10:58 AM, Stephen Gallagher<sgallagh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/19/2009 12:50 PM, Simo Sorce wrote:
>> On Fri, 2009-06-19 at 12:38 -0400, Stephen Gallagher wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Discussion welcome.
>>
>> why the md5sum and the shasum when we already have the .asc ?
>> And why both ?
>>
>> Simo.
>>
>
> I always prefer paranoia when it comes to security. I wanted to have at
> least one other method of verifying the tarball provided on our wiki
> (since it's possible that someone on Fedorahosted.org could replace our
> .asc and tarball with ones of their own devising, and the chances of
> them doing so in both the release fileserver and on our wiki are smaller)
>
> Also, if we're going to provide a hash, providing both means that even
> if someone actually managed to force a hash-collision to provide a fake
> tarball, they'd have to fake BOTH the md5 and sha1 sums. This is so
> unlikely as to be effectively impossible.
I have heard from a couple of crypto-analysts this may not always be
effectively impossible anymore. However I have heard the opposite also
:). The bigger issue is to use checksums that are available to people
and currently 'secure'. Those would be SHA1SUM til 2010/2012 and
SHA2(256) and using the appropriate GPG asc signature.
The bigger issue is how often people check those sums. Normally people
will be checking things that aren't recent so keeping older sums and
signatures are as important as new ones.
> And yes, there's a slight possibility that I'm too paranoid. I consider
> that a plus when working on security software.
>
> - --
> Stephen Gallagher
> RHCE 804006346421761
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAko7w54ACgkQeiVVYja6o6PSZACfYrna45ppXejyi2WBwpVAIcPT
> eSQAoLA//DI4+RtuYVh6rU6WS5MxX5gd
> =2qau
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the Freeipa-devel
mailing list