Subject: Re: [boost] Providing means to verify integrity and authenticity for releases
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-15 03:31:17
On 3/15/2016 5:34 AM, Tom Kent wrote:
> I would really like to see the core release team adopt a similar procedure
> in their release. This would only take a few steps:
> 1. Switch from md5 sums to a secure hash, such as SHA-256.
You make it sounds as if the use of md5 checksums is a huge problem, but I
think that for release checking we only care about second-preimage
resistance, and there's no remotely practical attack on md5 still.
Of course, sha2 is better and just as easy to compute.
> 2. Sign these sums with a secure PGP/GPG key.
> 3. Publish this signed file with the sums alongside the downloads.
This is indeed not very hard to do, but do you think many people will
go to the trouble of:
- Getting PGP key of a release manager and verifying that
- Checking signature of the sums file
- Checking the checksum proper
Maybe detached GPG signature of release binary itself will be a tad
-- Vladimir Prus http://vladimirprus.com
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk