subject:"Re\: \[fossil\-users\] Release 1.35 checksums\?"

Re: [fossil-users] Release 1.35 checksums?

2016-07-06 Thread Richard Hipp

On 7/6/16, Eduard  wrote:
>
> As a related small request, it would be very much appreciated if more
> people (including D. R. Hipp) signed their commits with PGP (in addition
> to the build hashes on the site). After all we already have the fossil
> 'clearsign' setting, it's just a matter of generating a key (gpg
> --gen-key) and using it.
>

I do already sign all my check-ins on some other repositories.  I'll
make a note to try to enable GPG signing on the self-hosting Fossil
repo as well.

-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-06 Thread John McMurloc

Faf?

-Original Message-
From: fossil-users-boun...@lists.fossil-scm.org 
[mailto:fossil-users-boun...@lists.fossil-scm.org] On Behalf Of Eduard
Sent: 6. juli 2016 19:40
To: Fossil SCM user's discussion
Subject: Re: [fossil-users] Release 1.35 checksums?

On 07/05/2016 02:56 PM, jungle Boogie wrote:
> On 1 July 2016 at 09:39, Warren Young <w...@etr-usa.com> wrote:
>> If you’re expecting the checksum to protect you against someone hacking the 
>> web site and uploading malware, they can modify the checksums on the web 
>> site at the same time.
> Absolutely.
> 
> As a small request, maybe when Dr. Hipp makes a release, he can also
> include the hash in the email. As Andy indicated, this can be archived
> by search engines and even available on the archive of the mailing
> list.

As a related small request, it would be very much appreciated if more
people (including D. R. Hipp) signed their commits with PGP (in addition
to the build hashes on the site). After all we already have the fossil
'clearsign' setting, it's just a matter of generating a key (gpg
--gen-key) and using it.



___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-06 Thread Eduard

On 07/05/2016 02:56 PM, jungle Boogie wrote:
> On 1 July 2016 at 09:39, Warren Young  wrote:
>> If you’re expecting the checksum to protect you against someone hacking the 
>> web site and uploading malware, they can modify the checksums on the web 
>> site at the same time.
> Absolutely.
> 
> As a small request, maybe when Dr. Hipp makes a release, he can also
> include the hash in the email. As Andy indicated, this can be archived
> by search engines and even available on the archive of the mailing
> list.

As a related small request, it would be very much appreciated if more
people (including D. R. Hipp) signed their commits with PGP (in addition
to the build hashes on the site). After all we already have the fossil
'clearsign' setting, it's just a matter of generating a key (gpg
--gen-key) and using it.




signature.asc
Description: OpenPGP digital signature
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-05 Thread jungle Boogie

On 1 July 2016 at 09:39, Warren Young  wrote:
> If you’re expecting the checksum to protect you against someone hacking the 
> web site and uploading malware, they can modify the checksums on the web site 
> at the same time.

Absolutely.

As a small request, maybe when Dr. Hipp makes a release, he can also
include the hash in the email. As Andy indicated, this can be archived
by search engines and even available on the archive of the mailing
list.

-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-04 Thread Andy Bradford

Thus said Lonnie Abelbeck on Fri, 01 Jul 2016 15:50:40 -0500:

> Indeed, and this  requires a bad guy to hack  two different servers to
> create bogus d ownloads and SHA1's. As usual, well done D. R. Hipp.

It depends on the target of the  attack. If it's a single user whose ISP
is less  than reputable,  then it  won't matter  that the  downloads and
SHA1's are on different sites. As long as that user can get to encrypted
email sessions, then there is at least  one mechanism that he can use to
obtain the  official sums  (again, assuming that  there is  no collusion
between his encryped email service and his ISP, or the attacker).

Andy
--
TAI64 timestamp: 4000577b030b
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-04 Thread Andy Bradford

Thus said Warren Young on Fri, 01 Jul 2016 10:39:17 -0600:

> > The checksum file  on the down load  page only has values  for up to
> > v1.34 Where do we get the values for v1.35
>
> Why do you trust such things in the first case?
>
> If you're  looking to  checksums to protect  you against  MITM malware
> injection, the same MITM can modify the checksum, too.

While  it may  not  be perfect,  having them  published  means that  the
checksums can be archived by  search engines, and other crawling things.
Manipulating all the  distributed copies of the checksums  would be more
of a challenge than replacing them at the point where they are requested
(e.g. the user's browser). But at least with them published, one can use
multiple various ways to obtain them  to make sure they all align. Also,
if someone  notices that they  are wrong, this  could be published  on a
mailing list or forum and that too would be picked up by archives.

Of course, if the search engines are malicious, or the primary site that
publishes them is  manipulated, then it becomes more  difficult. But the
user can always just ask in a public forum.

I don't see them as wholly useless.

Andy
--
TAI64 timestamp: 4000577b0226
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Richard Hipp

On 7/1/16, Ross Berteig  wrote:
> On 7/1/2016 10:11 AM, Lonnie Abelbeck wrote:
>> It seems the Checksums are on a different site from the downloads,
>> raising the bar for mischief. BTW including 1.35 now.
>> http://www.hwaci.com/fossil_download_checksums.html
>
> FYI, Hwaci is D. R. Hipp's company that owns the assigned copyrights to
> all work on fossil. Quoting that page, "Hipp, Wyrick & Company, Inc., or
> "Hwaci" for short, is a small North Carolina company providing knowledge
> services to clients around the world since 1992."
>
> That site is as official as fossil-scm.org.

It's the same IP address as www3.fossil-scm.org.  More importantly, it
is on a separate server, in a separate datacenter, owned by a
different company (Hurricane Electric vs. Linode) and in a different
state (CA vs TX), from the canonical www.fossil-scm.org server.  The
idea is that a hack of both servers seems unlikely.

FWIW, the checksums were added years ago by request from users on this
mailing list.

-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Lonnie Abelbeck


On Jul 1, 2016, at 3:42 PM, Ross Berteig  wrote:

> On 7/1/2016 10:11 AM, Lonnie Abelbeck wrote:
>> It seems the Checksums are on a different site from the downloads,
>> raising the bar for mischief. BTW including 1.35 now.
>> http://www.hwaci.com/fossil_download_checksums.html
> 
> FYI, Hwaci is D. R. Hipp's company that owns the assigned copyrights to all 
> work on fossil. Quoting that page, "Hipp, Wyrick & Company, Inc., or "Hwaci" 
> for short, is a small North Carolina company providing knowledge services to 
> clients around the world since 1992."
> 
> That site is as official as fossil-scm.org.

Indeed, and this requires a bad guy to hack two different servers to create 
bogus downloads and SHA1's.  As usual, well done D. R. Hipp.

Lonnie

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Ross Berteig


On 7/1/2016 10:35 AM, Warren Young wrote:

On Jul 1, 2016, at 11:13 AM, Todd C. Olson  wrote:

Then why does fossil-scm.org offer checksums at all?

Better question: why does any download site offer checksums?


One answer is mirrors. If a download is widely mirrored, then one might 
have reason for concern that a third-party provided mirror might be 
serving up modified content. Having the official site publish one or 
more checksums is a cheap way of providing some assurance that hasn't 
happened. A cryptographic signature would be stronger, but enough harder 
for end users to verify that it would not be checked at all.


It did happen to a number of iOS developers in China recently. They were 
of the habit of getting developer tools from a mirror site that was far 
closer to them (by bandwidth and download time measures) than the 
official Apple sites. The tools they got included a modified toolchain 
that produced iOS app with backdoor access. That also passed all Apple 
review stages since they were linked against "official" libraries.


That said, fossil doesn't provide an automated pool of mirrors hosted at 
third party providers so this would be less of a concern.


--
Ross Berteig   r...@cheshireeng.com
Cheshire Engineering Corp.   http://www.CheshireEng.com/
+1 626 303 1602
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Warren Young

On Jul 1, 2016, at 11:13 AM, Todd C. Olson  wrote:
> 
> Then why does fossil-scm.org offer checksums at all?

Better question: why does any download site offer checksums?

My answer: I have no idea, which is why I ask these questions ever time the 
question comes up.  I have yet to get a satisfactory answer.

I *can* see the point for large ISOs and such, simply because the download time 
required means that a quick way of verifying that you’ve got a clean download 
is useful.  That same doesn’t apply to Fossil.
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Lonnie Abelbeck


On Jul 1, 2016, at 11:39 AM, Warren Young  wrote:

> On Jun 30, 2016, at 7:21 PM, Todd C. Olson  wrote:
>> 
>> The checksum file on the down load page only has values for up to v1.34
>> Where do we get the values for v1.35
> 
> Why do you trust such things in the first case?
> 
> If you’re expecting the checksum to protect you against someone hacking the 
> web site and uploading malware, they can modify the checksums on the web site 
> at the same time.

It seems the Checksums are on a different site from the downloads, raising the 
bar for mischief.  BTW including 1.35 now.

http://www.hwaci.com/fossil_download_checksums.html

Lonnie

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Todd C. Olson

Then why does fossil-scm.org offer checksums at all?

Regards,
tco2

> On Fr, 2016-07-01, at 12:39, Warren Young  wrote:
> 
> On Jun 30, 2016, at 7:21 PM, Todd C. Olson  wrote:
>> 
>> The checksum file on the down load page only has values for up to v1.34
>> Where do we get the values for v1.35
> 
> Why do you trust such things in the first case?
> 
> If you’re looking to checksums to protect you against MITM malware injection, 
> the same MITM can modify the checksum, too.
> 
> If you’re expecting the checksum to protect you against someone hacking the 
> web site and uploading malware, they can modify the checksums on the web site 
> at the same time.
> 
> If you’re expecting to copy the checksums somewhere secure for verifying EXEs 
> later, downloading the current EXE and doing your own checksum gets you the 
> same benefit with no useful drop in security.
> 
> If you’re looking to these checksums for an integrity check, what kind of 
> horrible network are you on where Ethernet + TCP checksums are insufficient?
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread bch

On Jul 1, 2016 9:39 AM, "Warren Young"  wrote:
>
> On Jun 30, 2016, at 7:21 PM, Todd C. Olson  wrote:
> >
> > The checksum file on the down load page only has values for up to v1.34
> > Where do we get the values for v1.35
>
> Why do you trust such things in the first case?
>
> If you’re looking to checksums to protect you against MITM malware
injection, the same MITM can modify the checksum, too.
>
> If you’re expecting the checksum to protect you against someone hacking
the web site and uploading malware, they can modify the checksums on the
web site at the same time.
>
> If you’re expecting to copy the checksums somewhere secure for verifying
EXEs later, downloading the current EXE and doing your own checksum gets
you the same benefit with no useful drop in security.
>
> If you’re looking to these checksums for an integrity check, what kind of
horrible network are you on where Ethernet + TCP checksums are insufficient?

Given all this then, why are the checksums (incompletely) provided?
Obviously somewhat confusing.

-bch
___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

2016-07-01 Thread Warren Young

On Jun 30, 2016, at 7:21 PM, Todd C. Olson  wrote:
> 
> The checksum file on the down load page only has values for up to v1.34
> Where do we get the values for v1.35

Why do you trust such things in the first case?

If you’re looking to checksums to protect you against MITM malware injection, 
the same MITM can modify the checksum, too.

If you’re expecting the checksum to protect you against someone hacking the web 
site and uploading malware, they can modify the checksums on the web site at 
the same time.

If you’re expecting to copy the checksums somewhere secure for verifying EXEs 
later, downloading the current EXE and doing your own checksum gets you the 
same benefit with no useful drop in security.

If you’re looking to these checksums for an integrity check, what kind of 
horrible network are you on where Ethernet + TCP checksums are insufficient?
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

Re: [fossil-users] Release 1.35 checksums?

14 matches

Site Navigation

Mail list logo

Footer information