[dev] Distributing tarballs with md5 sums or GPG signatures

Aleksandar Milivojevic alex at milivojevic.org
Tue Jul 26 08:17:02 PDT 2005


Kevin Myer wrote:
> Quoting Jan Schneider <jan at horde.org>:
> 
> 
>>Zitat von Kevin Myer <kevin_myer at iu13.org>:
>>
>>
>>>I noticed that the code for Horde and apps available for download is not
>>>distributed with any sort of checksum or other integrity verification means.
>>
>>That's not true, all announcement messages contain the MD5 sums.
> 
> 
> Sorry, I should have been more specific.  There is nothing directly associated
> with a download on ftp.horde.org.  In other words, there is no easy to access
> collection of MD5 sums anywhere.  There is an archive of announcement 
> messages,
> which I can search, but that would not generally encourage people to verify
> checksums.  But if I don't download using a link in an announcement, I have to
> go backand search for the md5sum.
> 
> In fact, keeping the two separate is a good idea, since if I can compromise a
> server, and replace tarballs, I can also compute new md5sums for the tarballs
> and replace them as well.  What I was getting at was having a separate but
> consolidated listing of md5sums (or GPG signing releases, which negates the
> need to keep them separate, unless someone can obtain your key as well).

Well, you just made a point why there's no sense of having MD5 checksums 
on the ftp server.  It would only give people false sense of security. 
As you said, however is able to replace tarbals, he can simply replace 
MD5 checksums as well.

PGP signatures are different story.  There would be a value of having 
those, if handled properly.  But only for those paranoid enough to 
properly check authenticity of public key -- the way most people are 
checking signatures is almost as not having them at all.


More information about the dev mailing list