signed tarballs
Steve Grubb
sgrubb at redhat.com
Thu Apr 13 20:43:58 UTC 2017
On Thursday, April 13, 2017 4:30:57 PM EDT William Roberts wrote:
> On Apr 13, 2017 13:28, "Christian Rebischke" <Chris.Rebischke at archlinux.org>
> wrote:
>
> On Tue, Apr 11, 2017 at 10:03:54AM -0400, Steve Grubb wrote:
> > I added a sha256sum to the release announcement yesterday. You can also
> > access the people page via https.
>
> Thanks, but as I stated before. SHA256 and https doesn't ensure a
> non-malicious tarball. Only a signed tarball can achieve this.
>
> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.
Yeah, MD5 = collisions. SHA-1 = collisions. SHA-2 no known collisions. NIST
found during the SHA-3 competition that SHA-2 was much more robust than
previously thought.
-Steve
More information about the Linux-audit
mailing list