Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index


On Tue, Nov 27, 2012 at 7:01 AM, Petr Mladek <pmladek@suse.cz> wrote:

Or we want to make sure that people use the only single version of the
tarballs (security?, preciseness?). In this case, we might need md5sum
in git. But this is pretty non-standart solution. I think that it is too
paranoid and I am not sure if it is worth the effort having the complex
names. For example, if you want to work with the file and do not
remember md5sum, you need to search the directory to be able to write
the right name...

I do think that it is worth the effort.
we do point to tarball that are not hosted directly, and we do want to
detect an intrusion.

If someone hack our infra and mess with the git repo... since 100's of
people have a copy of the git repo we will notice a hack there...
but if the md5 value is not in git itself then someone that hack the
server can inject his own tarball and that would no be detected unless
someone cafefully inspect the tarball or get a md5 independently of
the original tarball...

so there is no real point of using md5 if we are not keeping the
'value' in git itself (and no the dowload integrity check _is_ not
worth it... if a download fail you usually know, and even if you do
not, that rarely result in something that you can uncompress and untar
without error

Norbert

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.