Suggestion: bmap files and bmaptool
Björn Persson
bjorn at xn--rombobjrn-67a.se
Wed Aug 14 10:24:11 UTC 2013
Artem Bityutskiy wrote:
>On Wed, 2013-08-14 at 11:44 +0200, Till Maas wrote:
>> On Wed, Aug 14, 2013 at 12:21:23PM +0300, Artem Bityutskiy wrote:
>> > On Wed, 2013-08-14 at 10:37 +0200, Till Maas wrote:
>> > > On Wed, Aug 14, 2013 at 09:31:22AM +0300, Artem Bityutskiy wrote:
>> > >
>> > > > Other things like reading from remote sites, progress
>> > > > indicator, protecting your mounted disks, uncompressing
>> > > > on-the-fly, checking sha1 of the data ond of the bmap file
>> > > > itself - are goodies, although important ones.
>> > >
>> > > Why sha1? If the check is there for security reasons, please use
>> > > at least sha256.
>> >
>> > Should not be difficult to implement if there is demand.
>>
>> SHA-256 is used to create the signatures of other distributed files:
>> https://fedoraproject.org/static/checksums/Fedora-19-i386-CHECKSUM
>>
>> Therefore if bmap is used it should also use at least SHA 256. It is
>> recommended against using SHA-1 for more than 7 years now:
>> http://csrc.nist.gov/groups/ST/hash/policy_2006.html
>
>Sure, good point, thank you, I'll implement sha-256 support.
Speaking of security, how is the integrity of the bmap file itself
verified? A checksum is of no use if you don't know who generated the
checksum. Fedora's checksum files are OpenPGP signed, as you can see in
the one that Till linked to. I don't see a cryptographic signature in
your example file. Are there detached signatures for the bmap files?
And does Bmaptool verify the signatures?
--
Björn Persson
Sent from my computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130814/9e57de10/attachment.sig>
More information about the devel
mailing list