[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

On 02/18/2012 08:40 PM, Neil Williams wrote:
> On Sat, 18 Feb 2012 11:48:27 +0100
> Thomas Koch <thomas@koch.ro> wrote:
>> I think as a start it should be made a policy that any "wrapper" package that 
>> downloads code from the net must at least do a strong checksum check on the 
>> downloaded code.
> Not possible to enforce as a 'MUST' because, by definition, third-party
> websites will not provide checksums for every possible download
> mechanism.

We're trying to mitigate risks of a man-in-the-middle
attack here. Not to authenticate a content, which is
the job of the maintainer. We want to check that the
file is the same one as the one the maintainer downloaded.
Which means that if there isn't a checksum on the
third-party website, a maintainer can just run sha512sum
and save the checksum in his download script (or next to
it) by himself for later runtime check.

So yes, a MUST can happen, IMO.


Reply to: