Subject: Re: [boost] Providing means to verify integrity and authenticity for releases
From: Daniel Hofmann (daniel_at_[hidden])
Date: 2016-03-16 08:13:37
On 03/16/2016 12:36 PM, Tom Kent wrote:
>> > 2. Sign these sums with a secure PGP/GPG key.
>>> >> 3. Publish this signed file with the sums alongside the downloads.
>> > This is indeed not very hard to do, but do you think many people will
>> > go to the trouble of:
>> > - Getting PGP key of a release manager and verifying that
>> > - Checking signature of the sums file
>> > - Checking the checksum proper
>> > Maybe detached GPG signature of release binary itself will be a tad
>> > more convenient?
> No, I don't think many people at all will care one iota about this, I would
> expect less than 1%. However, of that 1% that might care at all, I would
> expect 90% of those would just care that they got a valid download and want
> to check the sums, only that final 10% of the 1% would want to verify the
> signature. Because of this, I think it is better to have a separate sums
> file....but I would be completely happy with either solution.
In the end those few situations could be package maintainer for Linux
distributions or alternative package managers like brew for OSX in need
of verifying the Boost release they got for their thousands of users.
For example, here's how brew does it currently:
And although there is a SHA256 checksum in there, it probably comes from
the initial developer downloading the Boost release and calculating the
checksum locally, as there are no checksums I could find from the Boost
Therefore all it does is verifying file integrity _for the file that
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk