Boost logo

Boost :

Subject: Re: [boost] Providing means to verify integrity and authenticity for releases
From: Tom Kent (lists_at_[hidden])
Date: 2016-03-16 07:36:47


On Tue, Mar 15, 2016 at 2:31 AM, Vladimir Prus <vladimir.prus_at_[hidden]>
wrote:

>
> Hi Tom,
>
> On 3/15/2016 5:34 AM, Tom Kent wrote:
>
> I would really like to see the core release team adopt a similar procedure
>> in their release. This would only take a few steps:
>>
>
> > 1. Switch from md5 sums to a secure hash, such as SHA-256.
>
> You make it sounds as if the use of md5 checksums is a huge problem, but I
> think that for release checking we only care about second-preimage
> resistance, and there's no remotely practical attack on md5 still.
> Of course, sha2 is better and just as easy to compute.
>

Very true, but A) why not? B) this might not be the case ten years from
now, and some developer may want to use an old archive.

>
> 2. Sign these sums with a secure PGP/GPG key.
>> 3. Publish this signed file with the sums alongside the downloads.
>>
>
> This is indeed not very hard to do, but do you think many people will
> go to the trouble of:
>
> - Getting PGP key of a release manager and verifying that
> - Checking signature of the sums file
> - Checking the checksum proper
>
> Maybe detached GPG signature of release binary itself will be a tad
> more convenient?
>

No, I don't think many people at all will care one iota about this, I would
expect less than 1%. However, of that 1% that might care at all, I would
expect 90% of those would just care that they got a valid download and want
to check the sums, only that final 10% of the 1% would want to verify the
signature. Because of this, I think it is better to have a separate sums
file....but I would be completely happy with either solution.

Tom


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk