lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <11749.1319527717@turing-police.cc.vt.edu>
Date:	Tue, 25 Oct 2011 03:28:37 -0400
From:	Valdis.Kletnieks@...edu
To:	Greg KH <greg@...ah.com>
Cc:	Jari Ruusu <jariruusu@...rs.sourceforge.net>,
	linux-kernel@...r.kernel.org
Subject: Re: kernel.org tarball/patch signature files

On Tue, 25 Oct 2011 03:49:11 +0200, Greg KH said:

> The real check, to verify that this tarball really came from "me" should
> be done on the uncompressed tarball, which is what I can sign, and it is
> something that you, or anyone else, can reliable duplicate on their own
> by just using git and not even downloading the tarball at all.

I'm OK on that part..

> In other words, we just saved you a MASSIVE bandwidth transation for all
> of your future kernel downloads, and you can reliable know that the
> tarball you have in your system is what is on the kernel.org servers
> without you even having to download it yourself and run those
> decompression tools that you don't trus.

If you're building an automated process that will take a just-uploaded foo.tar
and generate foo.tar.{bz2,gz,foozip}, can you add a step that would just do an
'md5sum foo.tar.* > foo.tar.sums'?  Or sha256sum if you're worried about the
crypto weakness issues with MD5. Personally, I'm more interested in the "Did  I
hit a network error that the TCP checksum didn't catch?" case.

No hurry, I know what a beast it can be to redesign systems of this scale.  Just
a would-be-nice...


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ