[slf4j-user] Signatures for verifying Slf4j
Elisha Ebenezer
elisha.ebenezer at gmail.com
Fri May 14 07:45:08 CEST 2010
Right, I agree with you on the same point.
Given that slf4j is available through maven central (we use maven for our
build), and md5/sha1 checksums are already posted on that site. Having the
same published on the original site would allow for cross verification..
If you examine, ASF also does the same by publishing md5/sha1/asc signatures
on the http://www.apache.org site when allowing their files to be downloaded
from a vast number of mirrors.
For *time being,* please try and upload the hashes, while you work on
getting the artifacts signed. I *definetely *agree with you that, hashes are
*not* a permanent solution for checking the integrity. However, we can use
them as *temporary* alternative while the *real* solution is on its way.
-Thanks,
Elisha Ebenezer
On Fri, May 14, 2010 at 1:31 AM, Ceki Gülcü <ceki at qos.ch> wrote:
> On 13/05/2010 8:01 AM, Elisha Ebenezer wrote:
>
>> Ceki,
>> I've raised the bug report upon your suggestion. Bug#183
>> <http://bugzilla.slf4j.org/show_bug.cgi?id=183>
>>
>> However, I still request you to specify the md5/sha1 checksums on your
>> site.
>> This will help us to atleast convince our security team that, integrity
>> of the downloaded files can be verified.
>> Please do the needful.
>> Thanks,
>> Elisha Ebenezer.
>>
>
> An md5 or sha1 checksum on http://slf4j.org would not provide any
> additional security because any adversary who can corrupt the
> distribution files on our site can also, in all likelihood, corrupt
> the checksums appearing on the same site.
>
> I am quite surprised to hear any knowledgeable security professional
> would consider a cryptographic checksum as providing any sort of
> integrity assurance because it does not.
>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://qos.ch/mailman/listinfo/slf4j-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://qos.ch/pipermail/slf4j-user/attachments/20100514/dd7800fb/attachment-0001.html>
More information about the slf4j-user
mailing list