Re: [dev] Checksums and Sig files for release gzip

From: Laslo Hunhold <dev_AT_frign.de>
Date: Sat, 17 Apr 2021 16:36:03 +0200

On Sat, 17 Apr 2021 07:45:16 +0200 (CEST)
Sagar Acharya <sagaracharya_AT_tutanota.com> wrote:

Dear Sagar,

> Ok. But this is a behavioral change right? How can a patch help in
> this case?
>
> Admins always protest the decision in almost every community if it
> isn't theirs. Am I suggesting something harmful here? It takes a
> minute to sign a release and this improves security. It makes sure
> that user gets the same piece of code that the dev made.
>
> If that action helps suckless, why be reluctant because I initiated
> that mail? Thanking you

from what I can tell, most of the time package managers do hash
confirmation by hand and then add a "known good" hash of their choosing
to the package-script itself (e.g. on Gentoo with the ebuild manifest
that is automatically generated from hand-validated files).
In that regard, sha256 is fine. And always know your threat vectors: If
someone powerful enough was interested in "forging" a hash for dwm,
we'd have completely different problems. The attacker would probably
just use another, more targeted, approach.
And, in a way, keeping the choice of hashes up to the consumer (i.e.
package manager) adds a great layer of protection, because then you
have different hash functions running on the data, and it's impossible
to then forge it for everyone.

With best regards

Laslo
Received on Sat Apr 17 2021 - 16:36:03 CEST