Re: leaks in our only-signed-software fortress
On 02/18/2012 08:40 PM, Neil Williams wrote:
> On Sat, 18 Feb 2012 11:48:27 +0100
> Thomas Koch <firstname.lastname@example.org> wrote:
>> I think as a start it should be made a policy that any "wrapper" package that
>> downloads code from the net must at least do a strong checksum check on the
>> downloaded code.
> Not possible to enforce as a 'MUST' because, by definition, third-party
> websites will not provide checksums for every possible download
We're trying to mitigate risks of a man-in-the-middle
attack here. Not to authenticate a content, which is
the job of the maintainer. We want to check that the
file is the same one as the one the maintainer downloaded.
Which means that if there isn't a checksum on the
third-party website, a maintainer can just run sha512sum
and save the checksum in his download script (or next to
it) by himself for later runtime check.
So yes, a MUST can happen, IMO.