From: tmz at pobox.com (Todd Zullinger)
Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Date: Mon, 9 Mar 2015 15:39:29 -0400 [thread overview]
Message-ID: <20150309193929.GW3567@zaya.teonanacatl.net> (raw)
In-Reply-To: <20150308104520.GK1369@serenity.lan>
John Keeping wrote:
> On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote:
>> But while we're on the subject, are there PGP signatures available for
>> the cgit tarballs themselves? I know the git tags are signed, but I
>> don't think I've seen detached signatures for the tarballs. In this
>> case, how does a user become "happy that the CGit distribution they
>> have is trustworthy"? The cgit tarball download isn't available via
>> https either, which might be a reasonable answer in the absence of a
>> detached git signature.
>>
>> Without a signature on the tarball or some other method to verify the
>> cgit tarball, the sha256 of the git tarball included in the cgit
>> Makefile is more or less only useful as a basic download integrity
>> check (in which case sha256 is mild overkill).
>>
>> None of this is to say that this patch isn't a step in the right
>> direction. It certainly helps to display a nicer error message if a
>> user receives a corrupted git tarball. It's just important that users
>> don't confuse this with providing any real authentication of the git
>> tarball.
>
> I'm not sure this is true. Providing that the CGit tarball is trusted,
> then I think this does provide sufficient authentication of the Git
> tarball. If the CGit tarball isn't trusted, then all bets are off
> anyway.
Agreed. The caveat is that I'm not sure there is a convenient method
for end-users or packagers to verify the authenticity of a cgit
tarball.
Those on the list can check the PGP signature on the announcement mail
and then use the included SHA1 to check the tarball, but doing that as
a non-list member isn't as easy due to many list archives stripping or
mangling PGP signatures. I tried doing this with the 0.11
announcement from the Mailman and Gmane archives now and wasn't
successful.
Posting a detached PGP signature for the tarball would improve the
ability for users to trust and verify the cgit tarball. It's not a
blocker for your patch, but it would make it significantly more
useful, so I thought I would broach the subject. ;)
Thank you for all of your work on cgit. It's very nice to see it
continue to improve, with even the smallest details getting attention.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now don't say you can't swear off drinking; it's easy. I've done it a
thousand times.
-- W.C. Fields
next prev parent reply other threads:[~2015-03-09 19:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-07 14:46 john
2015-03-07 15:59 ` cgit
2015-03-07 17:02 ` john
2015-03-07 17:49 ` cgit
2015-03-07 18:20 ` john
2015-03-07 23:35 ` tmz
2015-03-08 10:45 ` john
2015-03-09 19:39 ` tmz [this message]
2015-03-09 20:49 ` john
2015-03-09 22:32 ` Jason
2015-03-09 22:34 ` Jason
2015-03-09 22:30 ` Jason
2015-03-09 22:42 ` tmz
2015-03-11 15:25 ` mricon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150309193929.GW3567@zaya.teonanacatl.net \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).