Re: signed tarballs
On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
<bill.c.roberts(a)gmail.com> wrote:
> Isn't the hash on the https people's page?
No, its on the mail list. The mail list is moderated. Only a handful of people
could post a spoofed message.
> Which last time I looked wasnt throwing cert errors in chrome.
Unless Steve has exclusive administrative access to people.redhat.com
(I think it is safe to say he does not, but correct me if I'm wrong
Steve <b>)
Nope.
you can't trust an unsigned checksum regardless of how
strong the https cert/crypto as the web admin could still tamper with
the data.
They would have to go tamper with the mail list where all the hashes are
publicly disclosed, too. There are multiple mail list archives. Then they
would have to post the tampered tarball to the Fedora Build System which also
publicly discloses hashs. And the Fedora Build System requires several
identity checks to check it in and it maintains a log.
You might get one, but you can't get them all. I'd say just a simple check of
the hash would catch most problems. If not, then I'd trust what's in Fedora
over the people page.
-Steve