sha256sum instead of sha1sum wanted #31
Comments
|
Where do you get the sums? Is it the same webserver as the binaries? |
|
@guest20 https://strawberryperl.com/releases.html |
|
If it's just as easy for an attacker replace the list of sums as it is for her to replace the binary or even the link people use to get the binary, a longer sum/digest won't stop her sneaking a bad binary onto the downloads page. "sha1 is broken" is really only a useful discussion if you're relying on a sha1-based signature as the soul mechanism of verification, and everything else is locked down so hard that the attackers only option† is to try and make her evil binary match the well-known sum of a legitimate release so that she can replace the released version with hers. That's not to say that wanting to be able to verify builds is not important, but rather to say that switching to a different sum is not going to deliver much more than a longer and yet equally trustworthy string to copy/paste. The containerised builds look relatively new^, and like a huge step in that direction, though it seems to be a struggle. Maybe also using the Releases tab on github could provide a second way to verify the sums of the binaries without breaking the bank? That said, i'm just some weirdo with a github account, and not a contributor to the project (unless comments on github issues count as contirbuting) |
|
@guest20 |
|
This is a change that will take some time. We'll work on it soon. |
|
@nysdd how will you notice the change in the sum? Do you use a tool to monitor the download page? |
|
@guest20 |
|
@ntysdd do you mean that a user should google "what is the sum of strawberry perl 5.34" and check agaisnt the google result? |
|
@guest20 A user MAY google the hash string. And I say, it allow "us to more easily to notice the intrusion". NOT every user need to do the check to make us to notice the intrusion, because this is an open-source community, RIGHT? And, IN CASE you don't know that already, there are already sha1sums on the site, and SHA-1 is a cryptographic hash algorithm JUST like SHA-2, only weaker, and everything you say about SHA-2 also applies to SHA-1. Free free to persuade developers to REMOVE the SHA-1 sums. |
|
@ntysdd isn't the point of the sums to stop users installing malicious stuff? The project noticing a breach is secondary to that goal, and is only valuable if the member who notices does something that stops users downloading/installing a malicious binary. Its not a monitoring system for the people who upload the binaries, its (supposed to be) a protection for the people downloading them. Your very fun sarcastic suggestion to remove sums doesn't improve the situation for anyone, providing a back channel for verifying the sum either by signing them, or publishing them in a different place than the binary does. |
Since sha1 is known to be broken, a safer digest algorithm is prefered on strawberryperl.com
The text was updated successfully, but these errors were encountered: