I know this. You know this. Joe User does not know this. I am trying to make Joe User’s life easier.
Since SHA256 is sufficient for both purposes why does release policy MANDATE that projects include an MD5? Julian > On Aug 31, 2017, at 1:17 PM, Ted Dunning <ted.dunn...@gmail.com> wrote: > > The checksum is not a tampering countermeasure. > > It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits" > countermeasure. > > > > On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde <jh...@apache.org> wrote: > >> As security experts, you and I know that. But Joe User maybe only checks >> one digest. >> >> (Aren’t we all Joe User sometimes?) >> >> Julian >> >>> On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jum...@guac-dev.org> >> wrote: >>> >>> On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote: >>> >>> After downloading artifacts, there are 3 things to check: (1) the >> download >>> is successful; (2) the artifacts were indeed created by the named author; >>> and (3) the artifacts have not been tampered with. >>> >>> A security expert would know to use the .md5 for (1), the .asc for (2), >> and >>> the .sha256 or .sha512 for (3). >>> >>> >>> If there is a danger that the artifacts may be tampered with, there is an >>> equivalent danger that the checksum files will be tampered with, as well. >>> Checksums alone cannot be relied upon to verify an artifact hasn't been >>> altered. >>> >>> Only the signature allows verification of authorship and integrity ... >>> assuming users have secure access to the corresponding public keys, and >>> that those keys are linked into the web of trust. >>> >>> - Mike >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
