View Issue Details

IDProjectCategoryView StatusLast Update
0000575filegeneralpublic2017-04-11 15:17
ReporterJohn Smith 
Assigned ToChristos Zoulas 
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version5.31 
Summary0000575: Integrity of source files
DescriptionThere is currently no hash check or GPG signature to verify that the
source is actually the one you have created.
This is particularly important since there have been recent attacks
which replaced files on upstream servers. Take for example the Linux
Mint hack earlier this year.

I would like to request that you please upload a SHA512 checksum of your
file tar.gz files, as well as sign the SHA512 with a GPG signature.

Technical documentation on how to do this:
sha512sum * > SHA512SUMS
gpg --clearsign -o SHA512SUMS.sign SHA512SUMS

The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
uploaded to your site (or on another site/server for added security), so
that package maintainers can verify that the source is accurate and
unhacked by a third-party prior to packaging.

Thank you for your time and concern.
TagsNo tags attached.



Christos Zoulas

Christos Zoulas

2016-11-07 18:06

manager   ~0001438

Wouldn't it just be adequate to: gpg --armor --detach-sign file-X.YY.tar.gz
Christos Zoulas

Christos Zoulas

2017-04-11 15:17

manager   ~0001498

Signing the tar files from now on.

Issue History

Date Modified Username Field Change
2016-11-02 01:28 John Smith New Issue
2016-11-07 18:06 Christos Zoulas Note Added: 0001438
2016-11-07 18:06 Christos Zoulas Assigned To => Christos Zoulas
2016-11-07 18:06 Christos Zoulas Status new => assigned
2016-11-07 18:06 Christos Zoulas Status assigned => feedback
2017-04-11 15:17 Christos Zoulas Status feedback => resolved
2017-04-11 15:17 Christos Zoulas Resolution open => fixed
2017-04-11 15:17 Christos Zoulas Fixed in Version => 5.31
2017-04-11 15:17 Christos Zoulas Note Added: 0001498