<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/06/2016 08:39 AM, Luke via
Cyrus-devel wrote:<br>
</div>
<blockquote
cite="mid:5e31d83d-92d8-de53-a1a7-cdfa3f9785dd@openmailbox.org"
type="cite">
<pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
I am contacting you as a package maintainer of Parabola GNU/Linux-libre,
a fully free operating system in compliance with the Free Software
Foundation's GNU FSDG. We also have a focus on privacy and security.
We attempt to ensure that all of our packages and upstream are secure.
As such I discovered a problem with several of your packages,
including "cyrus-sasl".
There is currently no hash check for the files on your FTP.
And the GPG signature used to verify has an algorithm which is
considered broken by Debian.
This is particularly important since there have been recent attacks
which replaced files on upstream servers. Take for example the Linux
Mint hack earlier this year.
(<a class="moz-txt-link-freetext" href="https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-c">https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-c</a>
hecksums/)
I would like to request that you please upload a SHA512 checksum of your
cyrus-sasl tar.gz files, as well as sign the SHA512 with a stronger
GPG signature.
Technical documentation on how to do this:
<a class="moz-txt-link-freetext" href="http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html">http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html</a>
sha512sum * > SHA512SUMS
<a class="moz-txt-link-freetext" href="https://keyring.debian.org/creating-key.html">https://keyring.debian.org/creating-key.html</a>
<a class="moz-txt-link-freetext" href="https://help.ubuntu.com/community/GnuPrivacyGuardHowto">https://help.ubuntu.com/community/GnuPrivacyGuardHowto</a>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/solutions/1541303">https://access.redhat.com/solutions/1541303</a>
gpg --clearsign -o SHA512SUMS.sign SHA512SUMS
The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
uploaded to your site (or on another site/server for added security), so
that package maintainers can verify that the source is accurate and
unhacked by a third-party prior to packaging. Hosting via HTTPS would
also improve protection against MITM attacks that occur with FTP.
Thank you for your time and concern.
Sincerely,
Luke
Parabola GNU/Linux-libre Packager
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYH1yxAAoJEMP0/88+roaX+K4P/2+EHigMKFaCnf0k3Rc+PVjh
dBTntHrH+hf8YgwrEIAm+cbNqHNu9tEnvATh1GVq2QaI2u6f3Lw/BXIi4FXZo9lA
YzEMzLCmxN1z5isxqd+xXtn9HNdpJK31uTR6g2cNBHI2CyZrpzNdDFKG3qKXN12k
SSUJBl6a/SL71I8Voo9C8shR9mvyQyrX3uIx5yEbUIybX8YQxx7gxxVa+YBvy/Zh
16WhpBSy/OnCrn8cjpQeWWkbWivRCBpVuFpSs9MHJZ+/4h2pFLCN/7TNm6u7ogxN
IT6sWFjBzfaqG5mPXJ/dYGEGc4oIGQgBSia+bALwIF78CG6R6RjUyM5DoQfBvi1m
PxjoedjkjVdFXW52kIJVyoARItgO3qJRRybI2GIvGJBmQKFggDqMTjqCuVnYby6B
V3JIrQ/VvVuaL/qTXXQu5h4vjkelI3xUPZFnyp0J4u4jhwejGfgmpccFcSrWN6Vv
ESLHCs7a1WeudGcZ53tEl65xNfWF4n+h7JhbJObIllzrc6wCurrRzTHxBnFxYTeq
04QE1Gmkn+JHG8tvPs62oWXHGuUF8mY7xoGOuUcoTKEOdl9mMlmWqgLGumcuKHpu
4zxw+RDK3s02IBfQ/e5f1T8FFv9FbqoJOVGnv/DTGTl5QgksEipjX9ulSV1Ff8Va
YSTrcNQ+6JTrGHDSku0l
=QZO5
-----END PGP SIGNATURE-----
</pre>
</blockquote>
I just checked and I don't see a .sig file for 2.1.26 ? I can
verify that the sha256 signature for the file has not<br>
changed in the last couple of years.<br>
<br>
<table style="table-layout:auto">
<tbody>
<tr>
<td colspan="4"><br>
</td>
</tr>
<tr>
<td> </td>
<td> </td>
<td nowrap="nowrap"><a href="ftp://ftp.cyrusimap.org/">Parent
Directory</a></td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">03/Sep/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> dir </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/BINARY-DISTRIBUTION/">BINARY-DISTRIBUTION</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">09/Aug/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> dir </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/OLD-VERSIONS/">OLD-VERSIONS</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">30/Jul/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 5.3 MB </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-1.5.28.tar.gz">cyrus-sasl-1.5.28.tar.gz</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">30/Jul/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 66 B </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-1.5.28.tar.gz.sig">cyrus-sasl-1.5.28.tar.gz.sig</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">30/Jul/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 1.5 MB </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.23.tar.gz">cyrus-sasl-2.1.23.tar.gz</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">30/Jul/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 72 B </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.23.tar.gz.sig">cyrus-sasl-2.1.23.tar.gz.sig</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">30/Jul/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 1.5 MB </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.24rc1.tar.gz">cyrus-sasl-2.1.24rc1.tar.gz</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">30/Jul/2010 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 72 B </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.24rc1.tar.gz.sig">cyrus-sasl-2.1.24rc1.tar.gz.sig</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">13/Sep/2011 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 4.9 MB </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.25.tar.gz">cyrus-sasl-2.1.25.tar.gz</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">13/Sep/2011 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 72 B </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.25.tar.gz.sig">cyrus-sasl-2.1.25.tar.gz.sig</a></font></td>
<td><br>
</td>
</tr>
<tr>
<td align="left" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1">19/Nov/2012 00:00</font></td>
<td align="right" nowrap="nowrap"><font face="Courier New,
Courier, mono" size="-1"> 4.9 MB </font></td>
<td nowrap="nowrap"><font face="Courier New, Courier, mono"
size="-1"><a
href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz">cyrus-sasl-2.1.26.tar.gz</a></font></td>
</tr>
</tbody>
</table>
</body>
</html>