File integrity recommendations for your source tarballs

Jan Parcel jan.parcel at oracle.com
Mon Nov 7 11:43:39 EST 2016 

On 11/06/2016 08:39 AM, Luke via Cyrus-devel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
>
> Hello,
> I am contacting you as a package maintainer of Parabola GNU/Linux-libre,
> a fully free operating system in compliance with the Free Software
> Foundation's GNU FSDG. We also have a focus on privacy and security.
>
> We attempt to ensure that all of our packages and upstream are secure.
> As such I discovered a problem with several of your packages,
> including "cyrus-sasl".
>
> There is currently no hash check for the files on your FTP.
> And the GPG signature used to verify has an algorithm which is
> considered broken by Debian.
>
> This is particularly important since there have been recent attacks
> which replaced files on upstream servers. Take for example the Linux
> Mint hack earlier this year.
> (https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-c
> hecksums/)
>
> I would like to request that you please upload a SHA512 checksum of your
> cyrus-sasl tar.gz files, as well as sign the SHA512 with a stronger
> GPG signature.
>
> Technical documentation on how to do this:
> http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html
> sha512sum * > SHA512SUMS
>
> https://keyring.debian.org/creating-key.html
> https://help.ubuntu.com/community/GnuPrivacyGuardHowto
> https://access.redhat.com/solutions/1541303
> gpg --clearsign -o SHA512SUMS.sign SHA512SUMS
>
>
> The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be
> uploaded to your site (or on another site/server for added security), so
> that package maintainers can verify that the source is accurate and
> unhacked by a third-party prior to packaging. Hosting via HTTPS would
> also improve protection against MITM attacks that occur with FTP.
>
> Thank you for your time and concern.
>
>
> Sincerely,
> Luke
> Parabola GNU/Linux-libre Packager
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJYH1yxAAoJEMP0/88+roaX+K4P/2+EHigMKFaCnf0k3Rc+PVjh
> dBTntHrH+hf8YgwrEIAm+cbNqHNu9tEnvATh1GVq2QaI2u6f3Lw/BXIi4FXZo9lA
> YzEMzLCmxN1z5isxqd+xXtn9HNdpJK31uTR6g2cNBHI2CyZrpzNdDFKG3qKXN12k
> SSUJBl6a/SL71I8Voo9C8shR9mvyQyrX3uIx5yEbUIybX8YQxx7gxxVa+YBvy/Zh
> 16WhpBSy/OnCrn8cjpQeWWkbWivRCBpVuFpSs9MHJZ+/4h2pFLCN/7TNm6u7ogxN
> IT6sWFjBzfaqG5mPXJ/dYGEGc4oIGQgBSia+bALwIF78CG6R6RjUyM5DoQfBvi1m
> PxjoedjkjVdFXW52kIJVyoARItgO3qJRRybI2GIvGJBmQKFggDqMTjqCuVnYby6B
> V3JIrQ/VvVuaL/qTXXQu5h4vjkelI3xUPZFnyp0J4u4jhwejGfgmpccFcSrWN6Vv
> ESLHCs7a1WeudGcZ53tEl65xNfWF4n+h7JhbJObIllzrc6wCurrRzTHxBnFxYTeq
> 04QE1Gmkn+JHG8tvPs62oWXHGuUF8mY7xoGOuUcoTKEOdl9mMlmWqgLGumcuKHpu
> 4zxw+RDK3s02IBfQ/e5f1T8FFv9FbqoJOVGnv/DTGTl5QgksEipjX9ulSV1Ff8Va
> YSTrcNQ+6JTrGHDSku0l
> =QZO5
> -----END PGP SIGNATURE-----
I just checked and I don't see a .sig file for 2.1.26 ?  I can verify 
that the sha256 signature for the file has not
changed in the last couple of years.


		Parent Directory <ftp://ftp.cyrusimap.org/>
03/Sep/2010 00:00 	   dir 	BINARY-DISTRIBUTION 
<ftp://ftp.cyrusimap.org/cyrus-sasl/BINARY-DISTRIBUTION/> 	
09/Aug/2010 00:00 	   dir 	OLD-VERSIONS 
<ftp://ftp.cyrusimap.org/cyrus-sasl/OLD-VERSIONS/> 	
30/Jul/2010 00:00 	   5.3 MB 	cyrus-sasl-1.5.28.tar.gz 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-1.5.28.tar.gz> 	
30/Jul/2010 00:00 	   66 B 	cyrus-sasl-1.5.28.tar.gz.sig 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-1.5.28.tar.gz.sig> 	
30/Jul/2010 00:00 	   1.5 MB 	cyrus-sasl-2.1.23.tar.gz 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.23.tar.gz> 	
30/Jul/2010 00:00 	   72 B 	cyrus-sasl-2.1.23.tar.gz.sig 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.23.tar.gz.sig> 	
30/Jul/2010 00:00 	   1.5 MB 	cyrus-sasl-2.1.24rc1.tar.gz 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.24rc1.tar.gz> 	
30/Jul/2010 00:00 	   72 B 	cyrus-sasl-2.1.24rc1.tar.gz.sig 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.24rc1.tar.gz.sig> 	
13/Sep/2011 00:00 	   4.9 MB 	cyrus-sasl-2.1.25.tar.gz 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.25.tar.gz> 	
13/Sep/2011 00:00 	   72 B 	cyrus-sasl-2.1.25.tar.gz.sig 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.25.tar.gz.sig> 	
19/Nov/2012 00:00 	   4.9 MB 	cyrus-sasl-2.1.26.tar.gz 
<ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20161107/286cf0f5/attachment.html>

More information about the Cyrus-devel mailing list