Bug#874029: /usr/bin/uscan: Re: [uscan] Please support verification against a signed file of hashsums
Mike Hommey
mh+reportbug at glandium.org
Sat Dec 30 06:12:14 UTC 2017
Package: devscripts
Version: 2.17.11
Followup-For: Bug #874029
> How many packages are like this type.
I can't tell you how many, but I can tell you that's how Mozilla does it
too, so this applies to firefox, thunderbird, nspr and nss:
https://download-installer.cdn.mozilla.net/pub/firefox/releases/52.5.3esr/SHA256SUMS.asc
https://download-installer.cdn.mozilla.net/pub/thunderbird/releases/52.5.2/SHA512SUMS.asc
https://download-installer.cdn.mozilla.net/pub/nspr/releases/v4.17/src/SHA256SUMS
https://download-installer.cdn.mozilla.net/pub/security/nss/releases/NSS_3_34_1_RTM/src/SHA256SUMS
Note there's actually no signature for nspr and nss (ironically). Which
makes me think checking hashes without signatures could be useful too.
I think I've seen other upstreams with hashes without signatures. Well,
as a matter of fact, there are at least on the gnome ftp:
http://ftp.gnome.org/pub/gnome/sources/glib/2.55/glib-2.55.0.sha256sum
Sure, this is not secure, but security is not the only reason one might
want to check hashes. You can just want to double check you got the
right archive, and not something with some bit flips (although arguably,
that would probably fail to uncompress).
Mike
More information about the devscripts-devel
mailing list