Boost logo

Boost :

Subject: Re: [boost] Providing means to verify integrity and authenticity for releases
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-15 03:31:17

Hi Tom,

On 3/15/2016 5:34 AM, Tom Kent wrote:

> I would really like to see the core release team adopt a similar procedure
> in their release. This would only take a few steps:

> 1. Switch from md5 sums to a secure hash, such as SHA-256.

You make it sounds as if the use of md5 checksums is a huge problem, but I
think that for release checking we only care about second-preimage
resistance, and there's no remotely practical attack on md5 still.
Of course, sha2 is better and just as easy to compute.

> 2. Sign these sums with a secure PGP/GPG key.
> 3. Publish this signed file with the sums alongside the downloads.

This is indeed not very hard to do, but do you think many people will
go to the trouble of:

- Getting PGP key of a release manager and verifying that
- Checking signature of the sums file
- Checking the checksum proper

Maybe detached GPG signature of release binary itself will be a tad
more convenient?

Vladimir Prus

Boost list run by bdawes at, gregod at, cpdaniel at, john at