From: Steve Grubb <sgrubb@redhat.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: signed tarballs
Date: Thu, 13 Apr 2017 16:43:58 -0400 [thread overview]
Message-ID: <2130568.dMp5T6juCr@x2> (raw)
In-Reply-To: <CAFftDdovoD5zoRTtnDj39Jz0Wxej8a=+o_ftR-A4NN5AMu1yjQ@mail.gmail.com>
On Thursday, April 13, 2017 4:30:57 PM EDT William Roberts wrote:
> On Apr 13, 2017 13:28, "Christian Rebischke" <Chris.Rebischke@archlinux.org>
> wrote:
>
> On Tue, Apr 11, 2017 at 10:03:54AM -0400, Steve Grubb wrote:
> > I added a sha256sum to the release announcement yesterday. You can also
> > access the people page via https.
>
> Thanks, but as I stated before. SHA256 and https doesn't ensure a
> non-malicious tarball. Only a signed tarball can achieve this.
>
> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.
Yeah, MD5 = collisions. SHA-1 = collisions. SHA-2 no known collisions. NIST
found during the SHA-3 competition that SHA-2 was much more robust than
previously thought.
-Steve
next prev parent reply other threads:[~2017-04-13 20:43 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 23:31 signed tarballs Christian Rebischke
2017-04-07 1:27 ` William Roberts
2017-04-07 23:41 ` Christian Rebischke
2017-04-07 23:52 ` William Roberts
2017-04-08 12:53 ` Paul Moore
2017-04-10 18:51 ` Steve Grubb
2017-04-10 18:35 ` Steve Grubb
2017-04-11 10:44 ` Christian Rebischke
2017-04-11 14:03 ` Steve Grubb
2017-04-13 20:28 ` Christian Rebischke
2017-04-13 20:30 ` William Roberts
2017-04-13 20:43 ` Steve Grubb [this message]
2017-04-13 20:56 ` Christian Rebischke
2017-04-13 21:00 ` William Roberts
2017-04-13 21:05 ` Paul Moore
2017-04-13 21:08 ` William Roberts
2017-04-13 21:17 ` Paul Moore
2017-04-13 22:39 ` William Roberts
2017-04-13 21:22 ` Christian Rebischke
2017-04-13 22:45 ` William Roberts
2017-04-13 23:17 ` Steve Grubb
2017-04-13 22:25 ` Steve Grubb
2017-04-14 13:06 ` Paul Moore
2017-04-14 13:38 ` Steve Grubb
2017-04-14 23:03 ` Christian Rebischke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2130568.dMp5T6juCr@x2 \
--to=sgrubb@redhat.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.