-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim Starling wrote:
Additionally, we could host hashes on the HTTPS server
instead of sending
them out by email. That way we could update the tarball without sending
out a new release announcement, and reduce the amount of technical clutter
in the email.
A malicious replacement of the master files wouldn't then be protected,
as the attacker could update the hash files (which, unlike signatures,
wouldn't show a different signing key to make them suspicious).
Relying solely on the security of the download server and whatever the
file permissions on that directory happen to be at the time is nice and
all, but posting the damn hashes adds defense in depth and, most
importantly, *raises a warning* when a release has been silently
changed, which should never happen -- at best it complicates support
issues since it's harder for people (who don't know how to check hashes,
or who can't find the second announce about the change) to know which
version they've got, etc.
All of this misses the most common source of file
corruption, which is the
FTP upload from a user's computer to their shared hosting account,
post-unpack. We often get reports on IRC of files missing or truncated. We
had one just today (RingtailedFox). I'd like to have a file integrity
check in the installer.
If hash-based this would be very annoying for people doing any custom
patching. :)
A general "check all files to make sure PHP parses them correctly" might
be nice, though.
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjr03cACgkQwRnhpk1wk44rRwCgq2FCxzYWS5Oga5OhSPNZTl9s
EyAAnjczmJn7l8cH+umPLasKrvC0BHqA
=j/iL
-----END PGP SIGNATURE-----