[Freeipa-devel] [SSSD] SSSD Release Process

[Stephen Gallagher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/19/2009 12:50 PM, Simo Sorce wrote:
> On Fri, 2009-06-19 at 12:38 -0400, Stephen Gallagher wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Discussion welcome.
> 
> why the md5sum and the shasum when we already have the .asc ?
> And why both ?
> 
> Simo.
> 

I always prefer paranoia when it comes to security. I wanted to have at
least one other method of verifying the tarball provided on our wiki
(since it's possible that someone on Fedorahosted.org could replace our
.asc and tarball with ones of their own devising, and the chances of
them doing so in both the release fileserver and on our wiki are smaller)

Also, if we're going to provide a hash, providing both means that even
if someone actually managed to force a hash-collision to provide a fake
tarball, they'd have to fake BOTH the md5 and sha1 sums. This is so
unlikely as to be effectively impossible.

And yes, there's a slight possibility that I'm too paranoid. I consider
that a plus when working on security software.

- -- 
Stephen Gallagher
RHCE 804006346421761

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAko7w54ACgkQeiVVYja6o6PSZACfYrna45ppXejyi2WBwpVAIcPT
eSQAoLA//DI4+RtuYVh6rU6WS5MxX5gd
=2qau
-----END PGP SIGNATURE-----