Re: [dev] Checksums and Sig files for release gzip

From: Daniel Cegiełka <daniel.cegielka_AT_gmail.com>
Date: Tue, 13 Apr 2021 19:20:09 +0200

wt., 13 kwi 2021 o 17:59 Hiltjo Posthuma <hiltjo_AT_codemadness.org> napisał(a):
>
> On Tue, Apr 13, 2021 at 04:45:07PM +0200, Daniel Cegiełka wrote:
> > How/where SHA512 is better than SHA256 or SHA1? I don't see any added
> > value in this. If someone breaks into your server and replace files,
> > may also regenerate check sums (SHA256/512 or SHA3, scrypt etc.). The
> > use of MD5 will be equally (un)safe as SHA512 :)
> >
>
> One example where it would not be equally unsafe is if someone or some distro
> mirrors the source-code.

The only security you get here is making sure the file has not been
corrupted while being transferred over the network. It has nothing to
do with security. If someone takes control of the server, it will
replace the file and generate new checksum. To prevent this, the file
should be secured not with a checksum, but with asymmetric
cryptography (signify, gpg).


> > A better solution is e.g. signify from OpenBSD or GnuPG.
> >
> > https://man.openbsd.org/signify
> >
> > Daniel
> >
> > wt., 13 kwi 2021 o 13:36 Sagar Acharya <sagaracharya_AT_tutanota.com> napisał(a):
> > >
> > > Can we have SHA512 checksums and sig files for the release gzips of suckless software?
> > >
> > > Thanking you
> > > Sagar Acharya
> > > https://designman.org
> > >
> >
>
> --
> Kind regards,
> Hiltjo
>
Received on Tue Apr 13 2021 - 19:20:09 CEST

This archive was generated by hypermail 2.3.0 : Tue Apr 13 2021 - 19:24:10 CEST