On 26 October 2017 at 11:18, Erik Bray <[email protected]> wrote: > On Thu, Oct 26, 2017 at 11:53 AM, Harald Schilly > <[email protected]> wrote: >> Hi, I don't see how https helps with any such attack. What I always pointed >> out is to use checksums. e.g. the webseed torrent files here >> http://files.sagemath.org/torrents.html have checksums and what would be >> missing is to sign them. AFAIK there is no official public/private key for >> files on sagemath.org, but we could create one and sign files containing >> checksums. We can also add the fingerprint of the key to the source code. >> (which makes me wonder if we are maybe already signing the tagged releases >> in git?) > > Yup, this is why I suggested better hashes are almost more important > here than HTTPS, and yes we should sign them as well--i.e. any time an > spkg is updated a trusted member of the project should at least be > verifying the hashes and appending their signature to the checksum. > That of course still says nothing for the validity of the source > tarball being signed, but one can only trust that they are valid if > they came from their original source--alas the chain of trust in this > case is often flimsy. When I was personally release manager on more > widely used software I signed every tag and release tarball. No idea > if we do that...
Tell me what I should do to sign / certify tarballs for eclib, and I'll do it. John > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
