| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Oct 2011 03:28:37 -0400
From: Valdis.Kletnieks@...edu
To: Greg KH <greg@...ah.com>
Cc: Jari Ruusu <jariruusu@...rs.sourceforge.net>,
linux-kernel@...r.kernel.org
Subject: Re: kernel.org tarball/patch signature files
On Tue, 25 Oct 2011 03:49:11 +0200, Greg KH said:
> The real check, to verify that this tarball really came from "me" should
> be done on the uncompressed tarball, which is what I can sign, and it is
> something that you, or anyone else, can reliable duplicate on their own
> by just using git and not even downloading the tarball at all.
I'm OK on that part..
> In other words, we just saved you a MASSIVE bandwidth transation for all
> of your future kernel downloads, and you can reliable know that the
> tarball you have in your system is what is on the kernel.org servers
> without you even having to download it yourself and run those
> decompression tools that you don't trus.
If you're building an automated process that will take a just-uploaded foo.tar
and generate foo.tar.{bz2,gz,foozip}, can you add a step that would just do an
'md5sum foo.tar.* > foo.tar.sums'? Or sha256sum if you're worried about the
crypto weakness issues with MD5. Personally, I'm more interested in the "Did I
hit a network error that the TCP checksum didn't catch?" case.
No hurry, I know what a beast it can be to redesign systems of this scale. Just
a would-be-nice...
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists