GNOME.org
 

Re: [gedit-list] Are there checksums to check downloads against for MSWindows installer?

:)

2014-05-11 3:41 GMT+09:00 Jesse van den Kieboom <jesse vandenkieboom epfl ch>:

Well, there is being concious of the situation, and then there is paranoia.


Indeed.


I'm not sure you can trust me for what I say either, I'm probably that man
in the middle. Here is the sha256sum though:


Well, you see, that's one of the points in security that seems to be
hard to agree on. (Or maybe my opinions are just strange.) I could be
working for the NSA, might have succeeded in penetrating your ftp
servers, and might be now attempting some social engineering of some
sort. 8-( Of course, that would gambling that you guys don't have
checksums from when you uploaded the binaries to the ftp servers,
among other things. :)


a611e9c233321c29cf8307d94d37e5a9028b2d99bba9ecd06ebb9a670cfb29a2

So yes, I confirm


And, now that I'm back at work, I can confirm that it matches the
download I took on the twenty-first of April. It's not a perfect
confirmation because I only took the sha1 and md5 checksums at the
time, but those still match, and the sha256 checksum I took just now
matches the copies you've provided. Three matches, not perfect proof,
but significantly better than no evidence at all.

People in my office know me, and now they can check the checksum I
have agains the one you provide, and evaluate the gedit project with
some assurance of meaningfulness. Without this record in the mail
list, they would have much less basis for evaluation.

Not exactly theatre, even though it sort of looks like it. For people
who don't know me, it amounts to lilttle more than theatre, but they
do have some assurance that someone (you) involved in the project has
apparently corroborated the checksum, and no one on the mail list has
objected to the corroboration.

Perfect security is, of course, impossible. But we can take steps to
raise the barrier to attacks, and that's all I'm doing here.

Thank you. It is much appreciated.

--
Joel Rees



Le samedi 10 mai 2014, J. M. Rees <jm07734rees gmail com> a écrit :


2014-05-09 15:57 GMT+09:00 Jesse van den Kieboom <jessevdk gnome org>:


Added



Thanks.

If it wouldn't be too much of a bother, I'd like to ask one more
thing, to make things a bit more difficult for the MIM. Many projects
will post the actual checksums on the announcements list. Could I at
least have you confirm the contents of


http://ftp.gnome.org/pub/GNOME/binaries/win32/gedit/2.30/gedit-2.30.sha256sum

to be

a611e9c233321c29cf8307d94d37e5a9028b2d99bba9ecd06ebb9a670cfb29a2
gedit-setup-2.30.1-1.exe

The present interchange is good enough for my purposes, since I took
the download some time ago. (From memory, it matches to at least the
first four digits. But the machine is at work, so I'll check it again
on Monday before installing.) But others will want a separate path to
confirm the checksum, and confirming it here will provide that.

Hope it's not too much of a bother.

--
Joel Rees



2014-05-09 2:39 GMT+02:00 J. M. Rees <jm07734rees gmail com>:


Has the project posted checksums to check downloads against?

I've been looking around
<http://ftp.gnome.org/pub/GNOME/binaries/win32/gedit/2.30/>and searching the
gnome servers and the web in general for checksums, but I don't see any.

I have permission to install gedit on this MSWindows8 notebook at work,
based on the assumption that I am fully confident that there will be no
parasitic functionality installed in the process. In the present political
climate, I no longer assume that tools like gedit will not be subject to MIM
attacks, so I would like to see some assertion from the project that what I
have is what the project has put up for download.

As an alternative, I could download the installer from three or more
mirrors and do a binary compare of each copy, but that's kind of abusing the
bandwidth. I'm rather considering compiling from source, but I haven't been
able to open up enough time yet. Would Cygwin or MinGW be the preferred
environment for compiling for source, if checksums are not available for the
installer downloads?

--
Joel Rees
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]