[gdal-dev] checksums for source releases

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[gdal-dev] checksums for source releases

Ben Elliston
The source download page:
https://trac.osgeo.org/gdal/wiki/DownloadSource

.. gives MD5 checksums for the source releases. Starting with 2.3.1, can
I suggest we start using SHA256 instead of the long-broken MD5?

Ben
_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Reply | Threaded
Open this post in threaded view
|

Re: checksums for source releases

Even Rouault-2
On mercredi 13 juin 2018 09:02:00 CEST Ben Elliston wrote:
> The source download page:
> https://trac.osgeo.org/gdal/wiki/DownloadSource
>
> .. gives MD5 checksums for the source releases. Starting with 2.3.1, can
> I suggest we start using SHA256 instead of the long-broken MD5?

The checksum is more intended to check that there wasn't an accidental
corruption in the transportation of the archive (MD5 will remain safe forever
for detecting that), rather than an attempt to forge an hostile archive. In
which case, we should also sign the checksum...

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Reply | Threaded
Open this post in threaded view
|

Re: checksums for source releases

Ben Elliston
On 13/06/18 09:18, Even Rouault wrote:

> The checksum is more intended to check that there wasn't an accidental
> corruption in the transportation of the archive (MD5 will remain safe forever
> for detecting that), rather than an attempt to forge an hostile archive. In
> which case, we should also sign the checksum...

Or just sign the tarballs. :-)

Ben
_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Reply | Threaded
Open this post in threaded view
|

Re: checksums for source releases

Even Rouault-2
On mercredi 13 juin 2018 09:20:24 CEST Ben Elliston wrote:
> On 13/06/18 09:18, Even Rouault wrote:
> > The checksum is more intended to check that there wasn't an accidental
> > corruption in the transportation of the archive (MD5 will remain safe
> > forever for detecting that), rather than an attempt to forge an hostile
> > archive. In which case, we should also sign the checksum...
>
> Or just sign the tarballs. :-)

Things get messy when signing is involved and you need to consider all the
chain from a security point of view (*), otherwise there's little point in
doing it.

Currently I generate the archives on a OSGeo server. More to follow the
tradition rather than a real reason I believe. If signing was involved, which
key should be used, and where would such signing occur ? I could use my
personal GPG key, but on my own PC (since I wouldn't trust the servers enough)
but then my pubkey should be made public somewhere in a trusted location (you
wouldn't put it next to the archive, in case someone would manage to forge the
archive, they would also be able to replace it with their own key). And that
would be annoying if someone else wanted to do a release. So lots of
complications for little benefit...

If people are worried about the archive authenticity, then can also checkout
the corresponding git tag, and diff it with the archive.

Even

(*) you'd better not use any CPU with speculative execution while you are it.

--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev