File integrity recommendations for your source tarballs

Luke g4jc at openmailbox.org
Sun Nov 6 11:39:21 EST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Hello,
I am contacting you as a package maintainer of Parabola GNU/Linux-libre,
a fully free operating system in compliance with the Free Software
Foundation's GNU FSDG. We also have a focus on privacy and security.

We attempt to ensure that all of our packages and upstream are secure.
As such I discovered a problem with several of your packages,
including "cyrus-sasl".

There is currently no hash check for the files on your FTP.
And the GPG signature used to verify has an algorithm which is
considered broken by Debian.

This is particularly important since there have been recent attacks
which replaced files on upstream servers. Take for example the Linux
Mint hack earlier this year.
(https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-c
hecksums/)

I would like to request that you please upload a SHA512 checksum of your
cyrus-sasl tar.gz files, as well as sign the SHA512 with a stronger
GPG signature.

Technical documentation on how to do this:
http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html
sha512sum * > SHA512SUMS

https://keyring.debian.org/creating-key.html
https://help.ubuntu.com/community/GnuPrivacyGuardHowto
https://access.redhat.com/solutions/1541303
gpg --clearsign -o SHA512SUMS.sign SHA512SUMS


The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
uploaded to your site (or on another site/server for added security), so
that package maintainers can verify that the source is accurate and
unhacked by a third-party prior to packaging. Hosting via HTTPS would
also improve protection against MITM attacks that occur with FTP.

Thank you for your time and concern.


Sincerely,
Luke
Parabola GNU/Linux-libre Packager

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYH1yxAAoJEMP0/88+roaX+K4P/2+EHigMKFaCnf0k3Rc+PVjh
dBTntHrH+hf8YgwrEIAm+cbNqHNu9tEnvATh1GVq2QaI2u6f3Lw/BXIi4FXZo9lA
YzEMzLCmxN1z5isxqd+xXtn9HNdpJK31uTR6g2cNBHI2CyZrpzNdDFKG3qKXN12k
SSUJBl6a/SL71I8Voo9C8shR9mvyQyrX3uIx5yEbUIybX8YQxx7gxxVa+YBvy/Zh
16WhpBSy/OnCrn8cjpQeWWkbWivRCBpVuFpSs9MHJZ+/4h2pFLCN/7TNm6u7ogxN
IT6sWFjBzfaqG5mPXJ/dYGEGc4oIGQgBSia+bALwIF78CG6R6RjUyM5DoQfBvi1m
PxjoedjkjVdFXW52kIJVyoARItgO3qJRRybI2GIvGJBmQKFggDqMTjqCuVnYby6B
V3JIrQ/VvVuaL/qTXXQu5h4vjkelI3xUPZFnyp0J4u4jhwejGfgmpccFcSrWN6Vv
ESLHCs7a1WeudGcZ53tEl65xNfWF4n+h7JhbJObIllzrc6wCurrRzTHxBnFxYTeq
04QE1Gmkn+JHG8tvPs62oWXHGuUF8mY7xoGOuUcoTKEOdl9mMlmWqgLGumcuKHpu
4zxw+RDK3s02IBfQ/e5f1T8FFv9FbqoJOVGnv/DTGTl5QgksEipjX9ulSV1Ff8Va
YSTrcNQ+6JTrGHDSku0l
=QZO5
-----END PGP SIGNATURE-----


More information about the Cyrus-devel mailing list