[Apachetoolbox-devel] Re: General: logging revisited...
Brought to you by:
bryanandrews
Menu
▾
▴
[Apachetoolbox-devel] Re: General: logging revisited...
|
From: Toni M. <su...@oe...> - 2002-07-24 15:09:41
|
Hi Kevin, On Wed, Jul 24, 2002 at 10:44:42AM -0400, Kevin J. Menard, Jr. wrote: > TM> Yes. MD5 and SHA1 sums are a good way of suggesting that the tarball > TM> on the server hasn't been tampered with, even if it comes from > TM> evilbryansoftware.com. PGP signatures are another way of asserting > TM> that. > PGP signatures don't seem to be so prevalent, at least from my experience. yes. I was only trying to enumerate the most common options. > And I simply don't have enough experience with gnupg to be able to perform > this checking (though I could learn, I just haven't had the need). As far Imho a sig would give the most trust to the package's integrity, with SHA1 second and MD5 third. > as SHA1, I really haven't seen that being used outside the realm of LDAP > password storage, but I'm sure it's because most people are still using MD5. Yes - MD5 is the most popular method of these. SHA1 should be as easy as MD5 and is the preferred method to determine a checksum on OpenBSD (you type "sha1" instead of "md5" and get a different value). > This is true, but the md5sum shouldn't change just because it's on a > different host. Of course, unless the user goes to the original author's Yes, they don't change. That's what i wanted to say, too - as long as people trust (or independently verify) the checksums for the provided packages, it doesn't really matter that much if the script goes to his website and downloads software from there. > page to check, he'll just have to trust that the md5sums in etc/md5sum.conf > are accurate (which almost negates the purpose in the first place, but > that's besides the point :-P). Yes. Imho it works the other way round: Bryan collects the "original" checksums and then downloads the packages mostly from their original sites and checks if the download succeeded, using his canned list of checksums (etc/md5sum.conf). > See above. I would think that this would be enough. As far as I know, > there haven't been any proven real-world collisions with md5sums given > different inputs. But I'm no security expert either. Actually, as a home That theoretical possibility of a clash, or rather, that someone could fake a file for a given MD5 sum, made OpenBSD switch to SHA1 where no such method appears to be currently known. > user, I'm naive. I figure if someone was able to hack into apache.org and > change the tarball, or otherwise hijack my session to get me to download the > wrong one, then it just wasn't my day and I'd chock it up as a lost. Hasn't Hacking into apache.org is very evil indeed. Hijacking the session could easily be prevented by offering HTTPS or SSH (RSYNC) or SFTP downloads. > I don't build much from source these days. For me, it depends. If you have a number of different platforms, but the need/want to have similar packages installed on each, possibly with slightly different options, you may reach a point where building stuff yourself is easier than downloading several flavours of canned packages for each platform. > Btw, did Bryan fix your forum account and/or set up your SF access? Ooops - at least I never tried again, but I also have not received anything from him, too. You also don't list me as a developer (which is ok with me). Best, --Toni++ |
