[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Repo-criteria-discuss] Fwd: Re: repo-criteria-evaluation
|
From: |
Mike Gerwitz |
|
Subject: |
Re: [Repo-criteria-discuss] Fwd: Re: repo-criteria-evaluation |
|
Date: |
Thu, 28 Apr 2016 22:51:34 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux) |
On Wed, Apr 27, 2016 at 23:26:16 -0600, Connor Shea wrote:
> With regards to this specific problem with SourceForge, it may be worth
> considering the addition of an extra criteria (probably in the A level?)
> for verification of downloads by way of SHA hashes, or some similar
> mechanism. The problem with that of course being that the site could just
> modify the SHA hash as well as the software and the user would be
> none-the-wiser.
In this case, SourceForge is a bit more than just a repository host;
we're only focusing on that bit. At least as far as I'm aware.
Ideally, the distribution archive/etc should be accompanied by a
detached GPG signature; the signature is a superior form of
verification, and would prevent[*] SourceForge from forging.
[*] All the usual crypo-caveats apply.
--
Mike Gerwitz
Free Software Hacker | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
signature.asc
Description: PGP signature