[gdal-dev] checksums for source releases
Even Rouault
even.rouault at spatialys.com
Tue Jun 12 16:46:45 PDT 2018
On mercredi 13 juin 2018 09:20:24 CEST Ben Elliston wrote:
> On 13/06/18 09:18, Even Rouault wrote:
> > The checksum is more intended to check that there wasn't an accidental
> > corruption in the transportation of the archive (MD5 will remain safe
> > forever for detecting that), rather than an attempt to forge an hostile
> > archive. In which case, we should also sign the checksum...
>
> Or just sign the tarballs. :-)
Things get messy when signing is involved and you need to consider all the
chain from a security point of view (*), otherwise there's little point in
doing it.
Currently I generate the archives on a OSGeo server. More to follow the
tradition rather than a real reason I believe. If signing was involved, which
key should be used, and where would such signing occur ? I could use my
personal GPG key, but on my own PC (since I wouldn't trust the servers enough)
but then my pubkey should be made public somewhere in a trusted location (you
wouldn't put it next to the archive, in case someone would manage to forge the
archive, they would also be able to replace it with their own key). And that
would be annoying if someone else wanted to do a release. So lots of
complications for little benefit...
If people are worried about the archive authenticity, then can also checkout
the corresponding git tag, and diff it with the archive.
Even
(*) you'd better not use any CPU with speculative execution while you are it.
--
Spatialys - Geospatial professional services
http://www.spatialys.com
More information about the gdal-dev
mailing list