Hi, Luke. This is the wrong list. You need to speak to the folks at [email protected].
David On Sat, Nov 12, 2016 at 8:37 PM, Luke <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hello, > I am contacting you as a package maintainer of Parabola GNU/Linux-libre, > a fully free operating system in compliance with the Free Software > Foundation's GNU FSDG. We also have a focus on privacy and security. > > We attempt to ensure that all of our packages and upstream are secure. > As such I discovered a problem with your package "perl". > > http://www.cpan.org/src/5.0/ <-- from here > > There is currently no GPG signature to verify that the > source is actually the one you have created. > > This is particularly important since there have been recent attacks > which replaced files on upstream servers. Take for example the Linux > Mint hack earlier this year. > (https://micahflee.com/2016/02/backdoored-linux-mint-and- > the-perils-of-checksums/) > > I would like to request that you please upload a SHA512 checksum of your > tar.gz files, as well as sign the SHA512 with a GPG signature. > Releasing only a checksum does not prevent an attacker from uploading a > modified copy > and simply placing a new hash along with it. > > Technical documentation on how to do this: > http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html > sha512sum * > SHA512SUMS > > https://help.ubuntu.com/community/GnuPrivacyGuardHowto > https://access.redhat.com/solutions/1541303 > gpg --clearsign -o SHA512SUMS.sign SHA512SUMS > > The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be > uploaded to your site (or on another site/server for added security), so > that package maintainers can verify that the source is accurate and > unhacked by a third-party prior to packaging. > > Thank you for your time and concern. > > > Sincerely, > Luke > Parabola GNU/Linux-libre Packager > > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJYJ8PlAAoJEMP0/88+roaXk24P/RG6Oq75s71l7VSAJgehPnzi > FdplFzPt8YQQdofZhCBw60sVbboZZ3NPGnSRKy9hNM4nP2dvGxB0ZOXR66z/tVSc > 4tfZzvGbBoEXbG3UWsKizPqd2lL4iwycXdSBMJ8gW7n6q/1O5UVsQiRSHuu9JSX7 > K+VTA6LvR4UOzkbpKw2ZhX2Jxm8IPfAsq8S4vD8fCUmN4yen8Hl6OjM45OluNCDn > thrDzy4+yZOvb/he5m9kb6RxnjUT5+oUUoXR/HTD2tknUQMthESWVLJGb+oSCVzH > 9nF8gkiW6QoFzLryjPxklEtrQsqbXim/Oj/z7G7xVwZSH8Fo9sS4VlPHv2Trv4Na > 3i4XbiqajtTUGHLXTS/3SJ7Q+NVuTd1L6kxD+R+MQzyARzVpuJCokcj9s4wuPfiY > 0Yw/bVAKGsfPR1LfiYh80qT83b6lBDzImc2T+3YUnghwBBxKBtzFv8Suo2gmTPk0 > bu6SuRysLG2ZqzowQsH2uqOBNe1JAYpq+Oljawy0wiBK1cseKhsZEco6Yx6eTC6A > 8ADsj2YNeqcg/Z9VMQyqI1SFAYZhwGJ4XIjygSm7k34lgvuXjEQ0p+Eej3mHRUNM > zH6yGdDaRnSRGkOTdrhn4oPryi1mlIkUxOGTJDVv9CD9C/8grTMPL+jPI8VhYrLD > TtGUvVyGIBRlgfcFAcoc > =O0H0 > -----END PGP SIGNATURE----- > > -- David Golden <[email protected]> Twitter/IRC/GitHub: @xdg
