signed tarballs
Steve Grubb
sgrubb at redhat.com
Thu Apr 13 22:25:06 UTC 2017
On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
>
> <bill.c.roberts at gmail.com> wrote:
> > Isn't the hash on the https people's page?
No, its on the mail list. The mail list is moderated. Only a handful of people
could post a spoofed message.
> > Which last time I looked wasnt throwing cert errors in chrome.
>
> Unless Steve has exclusive administrative access to people.redhat.com
> (I think it is safe to say he does not, but correct me if I'm wrong
> Steve <b>)
Nope.
> you can't trust an unsigned checksum regardless of how
> strong the https cert/crypto as the web admin could still tamper with
> the data.
They would have to go tamper with the mail list where all the hashes are
publicly disclosed, too. There are multiple mail list archives. Then they
would have to post the tampered tarball to the Fedora Build System which also
publicly discloses hashs. And the Fedora Build System requires several
identity checks to check it in and it maintains a log.
You might get one, but you can't get them all. I'd say just a simple check of
the hash would catch most problems. If not, then I'd trust what's in Fedora
over the people page.
-Steve
More information about the Linux-audit
mailing list