On Thu, Oct 26, 2017 at 11:53 AM, Harald Schilly <[email protected]> wrote: > Hi, I don't see how https helps with any such attack. What I always pointed > out is to use checksums. e.g. the webseed torrent files here > http://files.sagemath.org/torrents.html have checksums and what would be > missing is to sign them. AFAIK there is no official public/private key for > files on sagemath.org, but we could create one and sign files containing > checksums. We can also add the fingerprint of the key to the source code. > (which makes me wonder if we are maybe already signing the tagged releases > in git?)
Yup, this is why I suggested better hashes are almost more important here than HTTPS, and yes we should sign them as well--i.e. any time an spkg is updated a trusted member of the project should at least be verifying the hashes and appending their signature to the checksum. That of course still says nothing for the validity of the source tarball being signed, but one can only trust that they are valid if they came from their original source--alas the chain of trust in this case is often flimsy. When I was personally release manager on more widely used software I signed every tag and release tarball. No idea if we do that... -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
