Mailinglist Archive: opensuse-project (66 mails)
| < Previous | Next > |
RE: [opensuse-project] Site going down at release - solution
- From: "Anthony Bryan" <albryan@xxxxxxxxxxx>
- Date: Mon, 8 Jan 2007 10:08:34 -0500
- Message-id: <001601c73336$def57fb0$9ce07f10$@net>
> On Tue, 19 Dec 2006, Carlos E. R. wrote:
> > The "snag" is that checking both checksum and signature doubles
> checking
> > time. I suppose that the user could select which one to use, same as
> rpm
> > does, having both systems too, if I'm not mistaken.
>
> A cryptographic signature should detect data corruption as well as a
> checksum -- after all it needs to detect willful tampering, not just
> technical corruption. So that should suffice, shouldn't it?
Definitely.
To put this in context, we were talking about metalink which is an XML list
of mirrors, checksums, and signatures for easier downloading/file
distribution. metalinks can contain:
partial file checksums for repairing a download
full file checksums
cryptographic signature
The problem is that there are multiple clients on multiple operating
systems. Almost all clients support MD5/SHA-1 full file checksums now. None
of them support partial file checksums or signatures so far. I doubt the
Windows and Mac clients will support PGP signatures, but maybe. It seems
like the Linux clients will be more likely to have GPG and integrate it. So,
a client that supports signatures could use the partial file checksums for
errors in transfer, then just use the signature and skip the full file
checksum. Ones that don't support signatures can use the partial and full
file checksums.
Support for metalink in KGet in KDE4 seems to be making progress.
(( Anthony Bryan
)) Metalink [ http://www.metalinker.org ]
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-project+help@xxxxxxxxxxxx
> > The "snag" is that checking both checksum and signature doubles
> checking
> > time. I suppose that the user could select which one to use, same as
> rpm
> > does, having both systems too, if I'm not mistaken.
>
> A cryptographic signature should detect data corruption as well as a
> checksum -- after all it needs to detect willful tampering, not just
> technical corruption. So that should suffice, shouldn't it?
Definitely.
To put this in context, we were talking about metalink which is an XML list
of mirrors, checksums, and signatures for easier downloading/file
distribution. metalinks can contain:
partial file checksums for repairing a download
full file checksums
cryptographic signature
The problem is that there are multiple clients on multiple operating
systems. Almost all clients support MD5/SHA-1 full file checksums now. None
of them support partial file checksums or signatures so far. I doubt the
Windows and Mac clients will support PGP signatures, but maybe. It seems
like the Linux clients will be more likely to have GPG and integrate it. So,
a client that supports signatures could use the partial file checksums for
errors in transfer, then just use the signature and skip the full file
checksum. Ones that don't support signatures can use the partial and full
file checksums.
Support for metalink in KGet in KDE4 seems to be making progress.
(( Anthony Bryan
)) Metalink [ http://www.metalinker.org ]
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-project+help@xxxxxxxxxxxx
| < Previous | Next > |