From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 6438F1F8C6 for ; Tue, 3 Aug 2021 17:53:15 +0000 (UTC) Received: from localhost ([::1]:54388 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAybK-0002Nx-5s for normalperson@yhbt.net; Tue, 03 Aug 2021 13:53:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44814) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAybG-0002Ni-H5 for bug-gnulib@gnu.org; Tue, 03 Aug 2021 13:53:10 -0400 Received: from mail-wm1-f47.google.com ([209.85.128.47]:47054) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mAybE-0004uW-Ql for bug-gnulib@gnu.org; Tue, 03 Aug 2021 13:53:10 -0400 Received: by mail-wm1-f47.google.com with SMTP id h24-20020a1ccc180000b029022e0571d1a0so2616493wmb.5 for ; Tue, 03 Aug 2021 10:53:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gUrRzSZFQRqtAZtuJ14ju1u9Z3bJTnYGXIN/cJsbNmc=; b=ZFfwrcSa39OH0GQQ4cgi4reVnwK0wi92YNsSX7jyvgQGx8Y867+jChpeKryq/AcVCz GnsYBvCoaK/b02OellLPHtlYtcx7S9jWd7/Ff5KjlaOB/NZzfX2GddsRQ9ixrZYJFo3u 4oA+T8lEas+YuOLMKbfM8CfBq2MiIYryEPLKAjhNXGk54KP4FhHPb/JF4ytq/d7n3JfV HEilHzUtBji2E6j3EYCCKtpDZ0a5MreWT7ZqmgBabnEidjtsnVk51rx9XjBzGWO1CBvo Un7xRZYer4hlbKK+15mlJSBvLZtn8b6l95emmURr3jrL+ugFCjl+HX6pN9ADq6CT+IQN VyMA== X-Gm-Message-State: AOAM530aaxSvElsIWAwd8a96Ah5ASSpGnnvmyMS+FFiNDHm3oMDLdlOm 891GUs4ODDOIBFot8e1/Vbdi01fUhoH6N7YkZPE= X-Google-Smtp-Source: ABdhPJwoiJ3pIon82h6OkhjanIFMEz/y3exyOeJcUFP3M0OdMqL2IJ10mKuh9Ro73uw0g+oVqgN6tnLP3ySA7trQJCU= X-Received: by 2002:a7b:c0c1:: with SMTP id s1mr23509981wmh.130.1628013186767; Tue, 03 Aug 2021 10:53:06 -0700 (PDT) MIME-Version: 1.0 References: <87y29sf65o.fsf@latte.josefsson.org> <87wnp2o7tk.fsf@latte.josefsson.org> In-Reply-To: <87wnp2o7tk.fsf@latte.josefsson.org> From: Jim Meyering Date: Tue, 3 Aug 2021 10:52:54 -0700 Message-ID: Subject: Re: announce-gen and OpenPGP key servers To: Simon Josefsson Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=209.85.128.47; envelope-from=meyering@gmail.com; helo=mail-wm1-f47.google.com X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "bug-gnulib@gnu.org List" Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" On Tue, Aug 3, 2021 at 8:40 AM Simon Josefsson wrote: > Jim Meyering writes: > > > Feel free to make the script generate a full fingerprint and even > > (though it feels a little like giving up) add a checksum or two. > > I think checksums still serve a purpose. > > Many announcement e-mails are OpenPGP signed (and sometimes with a > different key than the release tarballs, thus creating another way to > verify tarballs). > > Checksums also makes it harder to replace the tarball on the server with > a fake (or, after a key compromise, a genuine) signature. > > I don't think it is a either-or situation, but rather a > belt-and-suspender case. Ideally, people downloading a release should Agreed. > verify both the signature (to know it comes from a trusted origin) and > checksum (to know it is the intended release, in case multiple signed > versions co-exists). > > The patches below make the maintainer-makefile announcements contain > SHA1 and B64(SHA256) checksums by default. The MD5 checksums are > dropped; they are completely insecure now. The B64(SHA256) output is > inspired by OpenSSH which started this practice with release 6.5 in 2014 > and still today prints similar outputs, see: > > https://www.openssh.com/txt/release-6.5 > https://www.openssh.com/txt/release-8.6 > > Unfortunately, 'sha256sum' can't verify these outputs, but I recall > earlier discussions around 'sha256sum --base64' so I will resume work on > that. > > We could opt to simply use the "standard" sha256sum output instead, if > people here don't like the base64 output format. Thanks, Simon! I too am all for B64-formatted checksums. You may want to coordinate with P=C3=A1draig. I think he is planning a unification of the checksum-generating tools. Your patches look fine. One nit: please drop the "Please" here :-) + print "\nPlease note that the SHA256 checksum is base64 encoded and not\= n";