View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000575||file||general||public||2016-11-02 01:28||2017-04-11 15:17|
|Assigned To||Christos Zoulas|
|Target Version||Fixed in Version||5.31|
|Summary||0000575: Integrity of source files|
|Description||There is currently no hash check or GPG signature to verify that the|
source is actually the one you have created.
This is particularly important since there have been recent attacks
which replaced files on upstream servers. Take for example the Linux
Mint hack earlier this year.
I would like to request that you please upload a SHA512 checksum of your
file tar.gz files, as well as sign the SHA512 with a GPG signature.
Technical documentation on how to do this:
sha512sum * > SHA512SUMS
gpg --clearsign -o SHA512SUMS.sign SHA512SUMS
The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
uploaded to your site (or on another site/server for added security), so
that package maintainers can verify that the source is accurate and
unhacked by a third-party prior to packaging.
Thank you for your time and concern.
|Tags||No tags attached.|
|2016-11-02 01:28||John Smith||New Issue|
|2016-11-07 18:06||Christos Zoulas||Note Added: 0001438|
|2016-11-07 18:06||Christos Zoulas||Assigned To||=> Christos Zoulas|
|2016-11-07 18:06||Christos Zoulas||Status||new => assigned|
|2016-11-07 18:06||Christos Zoulas||Status||assigned => feedback|
|2017-04-11 15:17||Christos Zoulas||Status||feedback => resolved|
|2017-04-11 15:17||Christos Zoulas||Resolution||open => fixed|
|2017-04-11 15:17||Christos Zoulas||Fixed in Version||=> 5.31|
|2017-04-11 15:17||Christos Zoulas||Note Added: 0001498|