-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello, I am contacting you as a package maintainer of Parabola GNU/Linux-libre, a fully free operating system in compliance with the Free Software Foundation's GNU FSDG. We also have a focus on privacy and security. We attempt to ensure that all of our packages and upstream are secure. As such I discovered a problem with several of your packages, including "cyrus-sasl". There is currently no hash check for the files on your FTP. And the GPG signature used to verify has an algorithm which is considered broken by Debian. This is particularly important since there have been recent attacks which replaced files on upstream servers. Take for example the Linux Mint hack earlier this year. (https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-c hecksums/) I would like to request that you please upload a SHA512 checksum of your cyrus-sasl tar.gz files, as well as sign the SHA512 with a stronger GPG signature. Technical documentation on how to do this: http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html sha512sum * > SHA512SUMS https://keyring.debian.org/creating-key.html https://help.ubuntu.com/community/GnuPrivacyGuardHowto https://access.redhat.com/solutions/1541303 gpg --clearsign -o SHA512SUMS.sign SHA512SUMS The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be uploaded to your site (or on another site/server for added security), so that package maintainers can verify that the source is accurate and unhacked by a third-party prior to packaging. Hosting via HTTPS would also improve protection against MITM attacks that occur with FTP. Thank you for your time and concern. Sincerely, Luke Parabola GNU/Linux-libre Packager -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYH1yxAAoJEMP0/88+roaX+K4P/2+EHigMKFaCnf0k3Rc+PVjh dBTntHrH+hf8YgwrEIAm+cbNqHNu9tEnvATh1GVq2QaI2u6f3Lw/BXIi4FXZo9lA YzEMzLCmxN1z5isxqd+xXtn9HNdpJK31uTR6g2cNBHI2CyZrpzNdDFKG3qKXN12k SSUJBl6a/SL71I8Voo9C8shR9mvyQyrX3uIx5yEbUIybX8YQxx7gxxVa+YBvy/Zh 16WhpBSy/OnCrn8cjpQeWWkbWivRCBpVuFpSs9MHJZ+/4h2pFLCN/7TNm6u7ogxN IT6sWFjBzfaqG5mPXJ/dYGEGc4oIGQgBSia+bALwIF78CG6R6RjUyM5DoQfBvi1m PxjoedjkjVdFXW52kIJVyoARItgO3qJRRybI2GIvGJBmQKFggDqMTjqCuVnYby6B V3JIrQ/VvVuaL/qTXXQu5h4vjkelI3xUPZFnyp0J4u4jhwejGfgmpccFcSrWN6Vv ESLHCs7a1WeudGcZ53tEl65xNfWF4n+h7JhbJObIllzrc6wCurrRzTHxBnFxYTeq 04QE1Gmkn+JHG8tvPs62oWXHGuUF8mY7xoGOuUcoTKEOdl9mMlmWqgLGumcuKHpu 4zxw+RDK3s02IBfQ/e5f1T8FFv9FbqoJOVGnv/DTGTl5QgksEipjX9ulSV1Ff8Va YSTrcNQ+6JTrGHDSku0l =QZO5 -----END PGP SIGNATURE-----
