[gdal-dev] checksums for source releases

Even Rouault even.rouault at spatialys.com
Tue Jun 12 16:46:45 PDT 2018


On mercredi 13 juin 2018 09:20:24 CEST Ben Elliston wrote:
> On 13/06/18 09:18, Even Rouault wrote:
> > The checksum is more intended to check that there wasn't an accidental
> > corruption in the transportation of the archive (MD5 will remain safe
> > forever for detecting that), rather than an attempt to forge an hostile
> > archive. In which case, we should also sign the checksum...
> 
> Or just sign the tarballs. :-)

Things get messy when signing is involved and you need to consider all the 
chain from a security point of view (*), otherwise there's little point in 
doing it.

Currently I generate the archives on a OSGeo server. More to follow the 
tradition rather than a real reason I believe. If signing was involved, which 
key should be used, and where would such signing occur ? I could use my 
personal GPG key, but on my own PC (since I wouldn't trust the servers enough) 
but then my pubkey should be made public somewhere in a trusted location (you 
wouldn't put it next to the archive, in case someone would manage to forge the 
archive, they would also be able to replace it with their own key). And that 
would be annoying if someone else wanted to do a release. So lots of 
complications for little benefit...

If people are worried about the archive authenticity, then can also checkout 
the corresponding git tag, and diff it with the archive.

Even

(*) you'd better not use any CPU with speculative execution while you are it.

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com


More information about the gdal-dev mailing list