James Turnbull <[EMAIL PROTECTED]> writes:
> The MD5 hash for the file is here: > > http://reductivelabs.com/downloads/puppet/puppet-0.24.7rc2.tgz.md5 As the one who requested this[0], I'm happy that this is being provided, thanks! This is significantly better than most projects out there already. However, I do think that it could be one step better. The point of providing a md5sum (or even a sha1 sum) of a release tarball is so that those of us downloading it can verify that the sums match locally with what you have provided. This gives us some integrity checking to know that the tarball hasn't been tampered with in transit (over HTTP that is certainly possible). However, this does not provide us any assurances that the tarball on the reductivelabs.com server has not been messed with. This is actually the more common scenario, someone hacks a webserver and then injects code into a release tarball that everyone downloads and then installs all over their network. This has happened a number of times (Wordpress is the one that I am reminded of), and its a total nightmare to clean up from every side. As someone who takes this tarball and packages it up for Debian for distribution to thousands of people who then deploy it on hundreds of thousands of machines, this freaks me out that I do not have a good way of verifying the release. I would like reductivelabs to also have this phear, so we can resolve it, before it bites us :) The Linux kernel has been doing this since 1999, as its a critical piece of software that cannot be compromised and then distributed. This enables them to revoke a key and publicize it if the machines that distribute the Linux Kernel archives becomes compromised, much easier clean-up process. So how is it possible to provide the cryptographic authenticity that would really ensure that the release tarball that matches that MD5sum is the actual release tarball that reductivelabs is certifying is the correct one? I would suggest doing signed hashes, simply using OpenPGP to sign the MD5 sums, once they have been verified, then providing this signed MD5 file to the world. Its *even better* if whoever is signing the release has exchanged signatures with people in the current Web of Trust, especially someone who is part of the strongly connected set of people, this provides verification of the identity through a trust path of the identity of the person signing the release. The way the Linux Kernel does this is by using a detatched GPG signature, which you can verify easily with gpg --verify. This would be hot! I would be happy to help in this effort, as someone who uses GPG daily for communications, for Debian work and part of the Monkeysphere project[1], I'm particularly interested in having these assurances taken care of the right way! Micah 0. http://projects.reductivelabs.com/issues/show/1777 1. http://monkeysphere.info --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
