dash.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Luke <g4jc@openmailbox.org>
To: dash@vger.kernel.org
Subject: File integrity of dash source
Date: Thu, 3 Nov 2016 22:28:01 -0400	[thread overview]
Message-ID: <389bec45-040e-f34c-dc01-35fd040075d4@openmailbox.org> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 1503 bytes --]

Hello,
I am contacting you as a package maintainer of Parabola GNU/Linux-libre,
a fully free operating system in compliance with the Free Software
Foundation's GNU FSDG. We also have a focus on privacy and security.

We attempt to ensure that all of our packages and upstream are secure.
As such I discovered a problem with your package "dash".

There is currently no GPG signature to verify that the
source is actually the one you have created.
This is particularly important since there have been recent attacks
which replaced files on upstream servers. Take for example the Linux
Mint hack earlier this year.
(https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/)

I would like to request that you please upload a SHA512 checksum of your
dash tar.gz files, as well as sign the SHA512 with a GPG signature.

Technical documentation on how to do this:
http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html
sha512sum * > SHA512SUMS

https://help.ubuntu.com/community/GnuPrivacyGuardHowto
https://access.redhat.com/solutions/1541303
gpg --clearsign -o SHA512SUMS.sign SHA512SUMS


The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
uploaded to your site (or on another site/server for added security), so
that package maintainers can verify that the source is accurate and
unhacked by a third-party prior to packaging.

Thank you for your time and concern.


Sincerely,
Luke
Parabola GNU/Linux-libre Packager



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

                 reply	other threads:[~2016-11-04  2:36 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=389bec45-040e-f34c-dc01-35fd040075d4@openmailbox.org \
    --to=g4jc@openmailbox.org \
    --cc=dash@vger.kernel.org \
    --subject='Re: File integrity of dash source' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).