Am 08.10.2012 23:51, schrieb Remy Blank: > Felix Schwarz wrote: >> Could you please include the md5 sum in your email announcement? Last time >> only 1.0 was mentioned. Ideally the md5 hash file would be signed with GPG. > > The md5 hashes can be found on TracDownload, as well as in the download > directory <http://download.edgewall.org/trac/>. Isn't that sufficient?
A malicious attacker gains access to the edgewall.org server and can place a modified source tarball (e.g. containing a backdoor) in the download directory. Of course he can easily put a matching md5 hash file besides. Modifying the Trac database so TracDownload displays the same (bad) hash should be easy in that case. If you send the info by mail I can check my local inbox for the hash - unlikely that the same attacker also managed to break into my computer. Therefore we either need signed hashes or at least hashes via email. fs
signature.asc
Description: OpenPGP digital signature
