Date: prev next · Thread: first prev next last
2017 Archives by date, by thread · List index 

On Fri, Feb 24, 2017 at 8:03 AM, Necdet Yücel <necdetyucel@gmail.com> wrote:

2017-02-24 16:42 GMT+03:00 Norbert Thiebaud <nthiebaud@gmail.com>:


On Fri, Feb 24, 2017 at 5:13 AM, Necdet Yücel <necdetyucel@gmail.com>
wrote:

Hi,

in configure script file integrity is checked by using sha1sums.


You are sure about that ? or you just did a quick git grep sha1sum and
went from there ?



i saw SHA1SUM="openssl sha1" in configure script and wrote here. If it's ok
for LO, then it's ok for me too. Sorry for inconvenience


This instance of sha1sum usage is in a test intended to detect a bug
in gmake. the input being sha-ed
are generated during the test.. this is not suceptible attacks, and
even it it was the consequences would be to
not detect a buggy gmake and have the build fail possibly later.

The situation with checksum of 'external' files is much worse that you thought.
They are actually checked with md5.
That being said they are not truly external, since they are hosted on
the project infrastructure
and the original motivation was not so much malicious injection
detection but faulty transfer.
using sha1 there would actually be an 'improvement' :-)

I guess we could convert that to shasum -a 256

Note though that the binaries published by tdf for download come with
a variety of hashes to verify against
http://download.documentfoundation.org/libreoffice/stable/5.3.0/mac/x86_64/LibreOffice_5.3.0_MacOS_x86-64.dmg.mirrorlist
including a pgp signature

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.