From: Jim Meyering <jim@meyering.net>
To: Simon Josefsson <simon@josefsson.org>
Cc: "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Subject: Re: announce-gen and OpenPGP key servers
Date: Tue, 3 Aug 2021 10:52:54 -0700 [thread overview]
Message-ID: <CA+8g5KEpavcqsGJQ94ykJ+Di4PHVAu5JNJQ1xpTQRR0w3Mnoew@mail.gmail.com> (raw)
In-Reply-To: <87wnp2o7tk.fsf@latte.josefsson.org>
On Tue, Aug 3, 2021 at 8:40 AM Simon Josefsson <simon@josefsson.org> wrote:
> Jim Meyering <jim@meyering.net> writes:
>
> > Feel free to make the script generate a full fingerprint and even
> > (though it feels a little like giving up) add a checksum or two.
>
> I think checksums still serve a purpose.
>
> Many announcement e-mails are OpenPGP signed (and sometimes with a
> different key than the release tarballs, thus creating another way to
> verify tarballs).
>
> Checksums also makes it harder to replace the tarball on the server with
> a fake (or, after a key compromise, a genuine) signature.
>
> I don't think it is a either-or situation, but rather a
> belt-and-suspender case. Ideally, people downloading a release should
Agreed.
> verify both the signature (to know it comes from a trusted origin) and
> checksum (to know it is the intended release, in case multiple signed
> versions co-exists).
>
> The patches below make the maintainer-makefile announcements contain
> SHA1 and B64(SHA256) checksums by default. The MD5 checksums are
> dropped; they are completely insecure now. The B64(SHA256) output is
> inspired by OpenSSH which started this practice with release 6.5 in 2014
> and still today prints similar outputs, see:
>
> https://www.openssh.com/txt/release-6.5
> https://www.openssh.com/txt/release-8.6
>
> Unfortunately, 'sha256sum' can't verify these outputs, but I recall
> earlier discussions around 'sha256sum --base64' so I will resume work on
> that.
>
> We could opt to simply use the "standard" sha256sum output instead, if
> people here don't like the base64 output format.
Thanks, Simon! I too am all for B64-formatted checksums.
You may want to coordinate with Pádraig.
I think he is planning a unification of the checksum-generating tools.
Your patches look fine. One nit: please drop the "Please" here :-)
+ print "\nPlease note that the SHA256 checksum is base64 encoded and not\n";
next prev parent reply other threads:[~2021-08-03 17:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-27 9:38 announce-gen and OpenPGP key servers Simon Josefsson via Gnulib discussion list
2021-07-27 18:48 ` Paul Eggert
2021-07-28 1:57 ` Jim Meyering
2021-08-03 15:40 ` Simon Josefsson via Gnulib discussion list
2021-08-03 17:52 ` Jim Meyering [this message]
2021-08-03 19:20 ` Simon Josefsson via Gnulib discussion list
2021-08-03 19:25 ` Paul Eggert
2021-08-03 23:51 ` Jim Meyering
2021-08-04 9:19 ` Simon Josefsson via Gnulib discussion list
2021-08-01 15:47 ` Bernhard Voelker
2021-08-02 10:09 ` Simon Josefsson via Gnulib discussion list
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+8g5KEpavcqsGJQ94ykJ+Di4PHVAu5JNJQ1xpTQRR0w3Mnoew@mail.gmail.com \
--to=jim@meyering.net \
--cc=bug-gnulib@gnu.org \
--cc=simon@josefsson.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).