Re: 'Checksum' property is potentially problematic

[Joël Krähemann]

Hi,

Ignore my previous message ...

For sure we have a checksum field

I leave it empty, but rather provide the GPG signature.

https://directory.fsf.org/wiki/Gsequencer

Cheers,
Joël


Am Do., 14. Jan. 2021 um 06:26 Uhr schrieb Joël Krähemann
<joel.kraehemann@gmail.com>:
>
> Hi all,
>
> Didn't know that we have got a checksum field at all ... :-/
>
> I provide for my packages GPG Signatures since on Savannah:
>
> https://download.savannah.gnu.org/releases/gsequencer/
>
> Actually started to sign since 2016-12-08
>
> https://sourceforge.net/projects/ags/
>
> Can I use it with this field?
>
> regards,
> Joël
>
> Am Mi., 13. Jan. 2021 um 17:56 Uhr schrieb Sebastian <seabass_fsd@gmx.co.uk>:
> >
> > Dear all,
> >
> > In my efforts to add as much useful data to entries as possible, I
> > inevitably came to the 'Checksum' property - it turns out this is not
> > what I thought it was, and raises some interesting questions.
> >
> > I had assumed that this was a field to contain a checksum for the
> > package's release of the version listed in the 'Version identifier'
> > field, but it is actually configured to contain an HTTP URL to a
> > checksum file.
> >
> > Firstly, I believe that the help bubble on the form is rather
> > misleading:
> >
> > > Checksum of this free software release. Please use "sum" from the GNU
> > > coreutils. Used during security checks.
> >
> > ...all the entries that have this property contain one of two types of
> > cryptographic hashes, SHA-256 or the now-broken MD5 function.
> > Admittedly, GNU coreutils contains programs to perform both of these
> > hash functions, but the checksum produced by the GNU 'sum' command is so
> > weak as to be useless for security checking.
> >
> > Secondly, if the checksum is supposed to refer to the specific package
> > version (it appears below the download link in the normal page view),
> > then I think this ought to be clear in the form as well: 'Version
> > checksum' rather than 'Checksum'.
> >
> > These questions, however, make me wonder about the utility of such a
> > field on the Directory. If the cryptographic hash is to be used for
> > verifying the origin of the package (rather than just the integrity of
> > the download), then the Free Software Directory must be completely
> > trusted. This is because entries have direct download URLs - if a
> > malicious actor could modify the download link to a similar-looking but
> > dangerous address, then that same attacker would have no trouble in
> > leading users down a false sense of security by changing the checksum as
> > well. I imagine the same applies to the 'OpenPGP public key URL' field.
> > Should the Free Software Directory really take on the burden of being a
> > 'trust-broker' for packages as well as a mere catalogue?
> >
> > And finally, this property is not terribly popular[1]... Only 0.2% of
> > entries have it!
> >
> > Best wishes,
> >
> > Sebastian
> >
> > --
> > - Freenode: 'seabass'
> > - Matrix: '@seabass:chat.weho.st'
> > - FSD: 'Freefish'
> >