From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id B455A6DE0B64 for ; Fri, 15 Mar 2019 01:52:42 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.2 X-Spam-Level: X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[AWL=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhydjYKqu1AT for ; Fri, 15 Mar 2019 01:52:39 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 5A8726DE0C4A for ; Fri, 15 Mar 2019 01:52:39 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1552639957; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=wDIPboEzqgHcJ2Hf+vUW19RM0wsQBsKnHs2wXRDcwbw=; b=dL9VuY/PxtSdVGq3pYobNudiAO5aIvbG0GqpgkMzqvNbFtQJ3M6Hpqo/ 2hgERhmW0AwasUyM8gF955Fi6RpODA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1552639957; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=wDIPboEzqgHcJ2Hf+vUW19RM0wsQBsKnHs2wXRDcwbw=; b=bbCDs3tSfUrXWsXElU+NG9L3j/MiuwNMuCbarsCHI8IAcvF/1Qv6rPlJ CagcBWEubUs515kqJGbR/4quTRZiO7wqCcpPh6+d298doSV9m49HGbZQdU EHuKNtF2scH/7yrtgOw50wLrhPW7/HraVDdqWQ73DA4o4Fn4olToQTibw0 18zeMbQeOZyxN/lHbZTaHqvgETLpiOhDf9I2dZ0w8zFkDzQ0+4MgNv/7zD CMoCAIpOD+5AqA3vmNYDuQBurUNJtxKYREtkZcyAN71WKw4RmjG9Oq63xD sBDdCKAj548qb12ekFcXPuobyNvnKflVN8yAz/ErXo5jSWFhx1GmYw== Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:20b6:84ff:fe8d:8441]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 0BDE9F99D; Fri, 15 Mar 2019 04:52:34 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 2BE89200F5; Fri, 15 Mar 2019 04:48:56 -0400 (EDT) From: Daniel Kahn Gillmor To: David Bremner , Carl Worth , Adam Majer , notmuch@notmuchmail.org Subject: Re: [PATCH] build: sign tarball instead of sha256sum In-Reply-To: <87imwkc3ev.fsf@tethera.net> References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <87imwkc3ev.fsf@tethera.net> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Fri, 15 Mar 2019 04:48:55 -0400 Message-ID: <8736noh6a0.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 08:52:42 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Thu 2019-03-14 22:49:44 -0300, David Bremner wrote: > OK, so apparently this is a problem for almost every project, including > GnuPG? That's mildly terrifying... sigh, i know :( > I don't mind either way, but it does seem like there is a tradeoff, > since with the previous version I suspect many people are just not > verifying the signature (e.g. can uscan in debian handle the sha256sum > scheme?). i thought about that on my bike ride home. the right answer is "uscan needs to be able to check signatures of this form, and Someone=E2=84=A2 sho= uld probably file a report in the BTS". So I looked in the BTS, and noticed that it's actually already filed (https://bugs.debian.org/874029) and it's not just notmuch that has something comparable. I've tagged that bug as Affects: src:notmuch, i hope that's ok. But of course the workaround for the meantime until that bug is resolved is "the debian releases are typically made by the same human who generates the signed tarballs so him checking his own signature doesn't provide much in the way of additional security" :P But I want to reduce the notmuch bus factor too, so hopefully we can get uscan improved. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXItm9wAKCRB2GBllKa5f +IMGAP9Al7mv1EGiZzAGUQ/Q5dc0BfFmpHfnl7k+0H2InaR4swD/YoJVux6U/zpB ZhElAWiOC1kai3JzQpMeC0ouIDrs+QM= =HQbJ -----END PGP SIGNATURE----- --=-=-=--