FS#49979 - [binutils] change the source, add the public key fingerprint, use sha512
Attached to Project:
Arch Linux
Opened by . (flysprayer) - Thursday, 07 July 2016, 03:30 GMT
Last edited by Allan McRae (Allan) - Sunday, 08 January 2017, 06:29 GMT
Opened by . (flysprayer) - Thursday, 07 July 2016, 03:30 GMT
Last edited by Allan McRae (Allan) - Sunday, 08 January 2017, 06:29 GMT
|
Details
https://ftp.gnu.org/gnu/binutils/
never forget to add the public key fingerprints https://ftp.gnu.org/gnu/binutils/binutils-2.26.1.tar.bz2.sig stop using md5 and sha1, use sha512 ftp://sourceware.org/pub/binutils/releases/sha512.sum |
This task depends upon
Closed by Allan McRae (Allan)
Sunday, 08 January 2017, 06:29 GMT
Reason for closing: Won't implement
Sunday, 08 January 2017, 06:29 GMT
Reason for closing: Won't implement
1) We do not use HTTPS, which leaves us vunerable to MITM. I China even with HTTPS it is possible to be MITM'd: http://www.netresec.com/?page=Blog&month=2013-02&post=Forensics-of-Chinese-MITM-on-GitHub
2) The git repository itself can be hacked ( as in the past https://www.rapid7.com/db/modules/exploit/multi/http/git_client_command_exec) or social engineered: https://github.com/aguerrero/Faking-Git-Commits
For these reasons using GPG and SHA512 fingerprints of releases provides a better layer of integrity and trust.
Thanks for the consideration.
https://ftp.gnu.org/gnu/binutils/binutils-2.27.tar.bz2