Karl Goetz wrote: > On Thu, 01 Jan 2009 20:18:05 -0500 > Ted Smith <[email protected]> wrote: > >> On Fri, 2009-01-02 at 11:27 +1030, Karl Goetz wrote: >>> On Thu, 01 Jan 2009 16:31:26 -0500 >>> Matthew Flaschen <[email protected]> wrote: >>> >>>> Ted Smith wrote: >>>>> On Thu, 2009-01-01 at 17:49 +0800, Koh Choon Lin wrote: >>>>>>>> I noted in recent times, servers for distro like Fedora and >>>>>>>> Debian were compromised by hackers. Are there some measures >>>>>>>> taken for gNewSense after those incidents? >>>>>> I actually meant to ask how the servers hosting gNewSense are >>>>>> protected to insure against rootkits being inserted into the >>>>>> distribution stream. >>>>> Well, all packages are PGP-signed, the preferred distribution >>>>> method of the LiveCDs is BitTorrent (which is un-rootkitable), >>>>> and the liveCD's available for direct download are MD5sum'd >>>>> (and the MD5sums are PGP-signed). >>>> I agree. The only things that really matter are: >>>> >>>> 1. Using a secure hash (e.g. SHA-256). >>> Moving from MD5SUM to SHA???SUM would be < 10 line patch to Builder, >>> IIRC. >>> kk >> That should be done ASAP. MD5 has been broken for a while and now it's >> getting to the point of being really ridiculous. It could be there >> still for people that are uncomfortable using SHA, but we definitely >> need to have options more secure than MD5. > > I'm sure Brian will accept patches. > kk
Okay, patch attached. It uses sha256sum in place of md5sum, and changes the file name to SHA256SUMS accordingly. Also, it uses a detached GPG signature, which I think is better because it is less redundant; the command also uses --output to avoid a mv. Matt Flaschen
Index: stage-cd =================================================================== --- stage-cd (revision 222) +++ stage-cd (working copy) @@ -30,9 +30,8 @@ tar -cf $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION cd $REPODST/cdimage mv $LIVECDDIR-src/$DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar . - sed -i "/ $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar$/d" MD5SUMS - md5sum $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar >> MD5SUMS + sed -i "/ $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar$/d" SHA256SUMS + sha256sum $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar >> SHA256SUMS fi cd $REPODST/cdimage -gpg -u $SIGNINGKEY --clearsign MD5SUMS -mv MD5SUMS.asc MD5SUMS.gpg +gpg -u $SIGNINGKEY --detach-sign --armor --output SHA256SUMS.gpg SHA256SUMS Index: gen-livecd =================================================================== --- gen-livecd (revision 222) +++ gen-livecd (working copy) @@ -190,5 +190,5 @@ # Here we stage the cd image cd $REPODST/cdimage btmakemetafile.bittornado http://torrent.$DOMAIN:6969/announce --announce_list "$BITTORRENT_ANNOUNCE_LIST" $LIVECD_ISO_PREFIX-livecd-$RELEASE-$LIVECD_VERSION.iso -sed -i "/ $LIVECD_ISO_PREFIX-livecd-$LIVECD_VERSION.iso$/d" MD5SUMS || true # Might not exist yet -md5sum $LIVECD_ISO_PREFIX-livecd-$RELEASE-$LIVECD_VERSION.iso >> MD5SUMS +sed -i "/ $LIVECD_ISO_PREFIX-livecd-$LIVECD_VERSION.iso$/d" SHA256SUMS || true # Might not exist yet +sha256sum $LIVECD_ISO_PREFIX-livecd-$RELEASE-$LIVECD_VERSION.iso >> SHA256SUMS
_______________________________________________ gNewSense-users mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/gnewsense-users
