Re: tarball/patch signature files

From: Valdis . Kletnieks
Date: Tue Oct 25 2011 - 03:28:41 EST

On Tue, 25 Oct 2011 03:49:11 +0200, Greg KH said:

> The real check, to verify that this tarball really came from "me" should
> be done on the uncompressed tarball, which is what I can sign, and it is
> something that you, or anyone else, can reliable duplicate on their own
> by just using git and not even downloading the tarball at all.

I'm OK on that part..

> In other words, we just saved you a MASSIVE bandwidth transation for all
> of your future kernel downloads, and you can reliable know that the
> tarball you have in your system is what is on the servers
> without you even having to download it yourself and run those
> decompression tools that you don't trus.

If you're building an automated process that will take a just-uploaded foo.tar
and generate foo.tar.{bz2,gz,foozip}, can you add a step that would just do an
'md5sum foo.tar.* > foo.tar.sums'? Or sha256sum if you're worried about the
crypto weakness issues with MD5. Personally, I'm more interested in the "Did I
hit a network error that the TCP checksum didn't catch?" case.

No hurry, I know what a beast it can be to redesign systems of this scale. Just
a would-be-nice...

Attachment: pgp00000.pgp
Description: PGP signature