Feature Request: Source tarball integrity
Brought to you by:
buc
Menu
▾
▴
#10 Feature Request: Source tarball integrity
There is currently no GPG signature to verify that the
source is actually the one you have created.
This is particularly important since there have been recent attacks
which replaced files on upstream servers. Take for example the Linux
Mint hack earlier this year.
(https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/)
I would like to request that you please upload a SHA512 checksum of your
tar.gz files, as well as sign the SHA512 with a GPG signature.
Technical documentation on how to do this:
http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html
sha512sum * > SHA512SUMS
https://help.ubuntu.com/community/GnuPrivacyGuardHowto
https://access.redhat.com/solutions/1541303
gpg --clearsign -o SHA512SUMS.sign SHA512SUMS
The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
uploaded to your site (or on another site/server for added security), so
that package maintainers can verify that the source is accurate and
unhacked by a third-party prior to packaging.
Thank you.
It would sound reasonable if I'll choose some own site for upstream.
But for now, I completely trust SourceForge and its policies.
(Did not visit the first link, since don't trust proprietary corporate stuff ;) )
I do not trust sourceforge for a variety of reasons.
However, even if I did, without checksums I am unable to confirm that I downloaded the file without corruption. At minimum you should consider uploading a SHA512 file along with your releases so users can confirm the file downloaded correctly. GPG would also benefit incase someone manages to hack sourceforge and/or gain access to your developer account.
Thank you.
Last edit: G4JC 2016-11-11