On mercredi 13 juin 2018 09:20:24 CEST Ben Elliston wrote: > On 13/06/18 09:18, Even Rouault wrote: > > The checksum is more intended to check that there wasn't an accidental > > corruption in the transportation of the archive (MD5 will remain safe > > forever for detecting that), rather than an attempt to forge an hostile > > archive. In which case, we should also sign the checksum... > > Or just sign the tarballs. :-)
Things get messy when signing is involved and you need to consider all the chain from a security point of view (*), otherwise there's little point in doing it. Currently I generate the archives on a OSGeo server. More to follow the tradition rather than a real reason I believe. If signing was involved, which key should be used, and where would such signing occur ? I could use my personal GPG key, but on my own PC (since I wouldn't trust the servers enough) but then my pubkey should be made public somewhere in a trusted location (you wouldn't put it next to the archive, in case someone would manage to forge the archive, they would also be able to replace it with their own key). And that would be annoying if someone else wanted to do a release. So lots of complications for little benefit... If people are worried about the archive authenticity, then can also checkout the corresponding git tag, and diff it with the archive. Even (*) you'd better not use any CPU with speculative execution while you are it. -- Spatialys - Geospatial professional services http://www.spatialys.com _______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/gdal-dev