On Wed, 2013-08-14 at 12:24 +0200, Björn Persson wrote: > Artem Bityutskiy wrote: > >On Wed, 2013-08-14 at 11:44 +0200, Till Maas wrote: > >> On Wed, Aug 14, 2013 at 12:21:23PM +0300, Artem Bityutskiy wrote: > >> > On Wed, 2013-08-14 at 10:37 +0200, Till Maas wrote: > >> > > On Wed, Aug 14, 2013 at 09:31:22AM +0300, Artem Bityutskiy wrote: > >> > > > >> > > > Other things like reading from remote sites, progress > >> > > > indicator, protecting your mounted disks, uncompressing > >> > > > on-the-fly, checking sha1 of the data ond of the bmap file > >> > > > itself - are goodies, although important ones. > >> > > > >> > > Why sha1? If the check is there for security reasons, please use > >> > > at least sha256. > >> > > >> > Should not be difficult to implement if there is demand. > >> > >> SHA-256 is used to create the signatures of other distributed files: > >> https://fedoraproject.org/static/checksums/Fedora-19-i386-CHECKSUM > >> > >> Therefore if bmap is used it should also use at least SHA 256. It is > >> recommended against using SHA-1 for more than 7 years now: > >> http://csrc.nist.gov/groups/ST/hash/policy_2006.html > > > >Sure, good point, thank you, I'll implement sha-256 support. > > Speaking of security, how is the integrity of the bmap file itself > verified? A checksum is of no use if you don't know who generated the > checksum. Fedora's checksum files are OpenPGP signed, as you can see in > the one that Till linked to. I don't see a cryptographic signature in > your example file. Are there detached signatures for the bmap files? > And does Bmaptool verify the signatures? I've implemented gpg signature verification. Now the bmap file can be gpg-signed and in this case bmaptool will verify the signature. Both Fedora-like "clearsign" gpg signatures and detached signatures are supported. -- Best Regards, Artem Bityutskiy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
