Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

[cross posting @docs => @dev, full thread
http://www.gossamer-threads.com/lists/apache/docs/453401]

On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen
<bf...@blenning.no> wrote:
>
> On 14/01/16 01:19, Yann Ylavic wrote:
>>
>> as I said earlier, the way you access the
>> tarball is not that important provided you verify its signature, or
>> its digests from the official repository only.
>
> I understand what you are saying that the proper way is to download
> the checksums from the correct source, which is self-evident. Now
> assume you're a new user, and do not have this previous knowledge.
> This user is security conscious, so the user chooses https on purpose.
> He would go into (https://httpd.apache.org), where he would find a
> link taking him to (https://httpd.apache.org/download.cgi), at this
> point, he would find the link to (http://www.apache.org/dist/httpd/),
> what I'm saying is in order to have some trust in that link, it
> _SHOULD_ be https otherwise assuming you could introduce yourself as a
> MitM, manipulating the signatures would be trivial.

OK, I thought the links to the MD5/SH1/PGP were https: but this is not the case.
I agree that the origin of these files should be trustable.

@dev: should I s/http:/https:/ for those links (only) in
^httpd/site/trunk/content/download.mdtext?
Or possibly use paths instead (i.e. /dist/httpd/...) so that it
depends on /download.cgi is accessed?
Would that be enough for the prod to be updated (via staging)?

Regards,
Yann.

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

Thanks, I'll read this!

On Tue, Feb 2, 2016 at 6:58 PM, Luca Toscano <to...@gmail.com> wrote:
> Hi Yann,
>
> 2016-02-02 18:41 GMT+01:00 Yann Ylavic <yl...@gmail.com>:
>>
>>
>> How do you do the "publish" part?
>>
>
> I use the bookmarklet outlined in http://www.apache.org/dev/cms.html#usage
> (didn't know what it was until Humbedooh explained to me with extreme
> patience :)
>
> I usually go to http://httpd.staging.apache.org/ after committing, and hit
> the bookmark to access the CMS page. Then the "Publish" button will push the
> changes to http://httpd.apache.org/
>
> Luca
>
>

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Luca Toscano <to...@gmail.com>]

Hi Yann,

2016-02-02 18:41 GMT+01:00 Yann Ylavic <yl...@gmail.com>:

>
> How do you do the "publish" part?
>
>
I use the bookmarklet outlined in http://www.apache.org/dev/cms.html#usage
(didn't know what it was until Humbedooh explained to me with extreme
patience :)

I usually go to http://httpd.staging.apache.org/ after committing, and hit
the bookmark to access the CMS page. Then the "Publish" button will push
the changes to http://httpd.apache.org/

Luca

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

Hi Luca,

On Tue, Feb 2, 2016 at 6:27 PM, Luca Toscano <to...@gmail.com> wrote:
>
> sorry for the lack of response but I didn't notice the patch.

No problem.

> I checked the
> links in staging and published the patch to
> https://httpd.apache.org/download.cgi (hope that it is ok for you).

How do you do the "publish" part?

Regards,
Yann.

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Luca Toscano <to...@gmail.com>]

2016-02-02 21:10 GMT+01:00 Tom Fredrik Blenning Klaussen <bf...@blenning.no>:

>
> Having reviewed the changes I think they're good, but not complete.
> The remaining http links should be changed to // .
> Eg "http://httpd.apache.org/mod_ftp/" should be changed to
> "//httpd.apache.org/mod_ftp/" for all links containing apache servers.
> I'm not sure if external links needs to be changed, but to the extent
> they work I see nothing wrong in changing them.
>

Hi, just changed the remaining links to // (except the external ones), it
should be fine now. Please let me know what is missing!

Luca

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Luca Toscano <to...@gmail.com>]

2016-02-02 21:10 GMT+01:00 Tom Fredrik Blenning Klaussen <bf...@blenning.no>:

>
> Having reviewed the changes I think they're good, but not complete.
> The remaining http links should be changed to // .
> Eg "http://httpd.apache.org/mod_ftp/" should be changed to
> "//httpd.apache.org/mod_ftp/" for all links containing apache servers.
> I'm not sure if external links needs to be changed, but to the extent
> they work I see nothing wrong in changing them.
>

Hi, just changed the remaining links to // (except the external ones), it
should be fine now. Please let me know what is missing!

Luca

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Tom Fredrik Blenning Klaussen <bf...@blenning.no>]

On 02/02/16 18:27, Luca Toscano wrote:
> Hi Yann,
> 
> sorry for the lack of response but I didn't notice the patch. I
> checked the links in staging and published the patch to 
> https://httpd.apache.org/download.cgi (hope that it is ok for
> you).
> 
> Thanks Tom!
> 
> Luca
> 
> 2016-02-02 11:09 GMT+01:00 Yann Ylavic <yl...@gmail.com>:
> 
>> On Wed, Jan 20, 2016 at 11:24 PM, Yann Ylavic
>> <yl...@gmail.com> wrote:
>>> 
>>> Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS
>>> files are under https://*.apache.org's certification?
>> 
>> Assuming lazy consensus, committed in r1728066.
>> 
>> Thanks Tom Fredrik.

Give credit where credit is due, nothing would have happened if it
hadn't been for Fedor Brunner's original report.

Having reviewed the changes I think they're good, but not complete.
The remaining http links should be changed to // .
Eg "http://httpd.apache.org/mod_ftp/" should be changed to
"//httpd.apache.org/mod_ftp/" for all links containing apache servers.
I'm not sure if external links needs to be changed, but to the extent
they work I see nothing wrong in changing them.

-Tom Fredrik

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Luca Toscano <to...@gmail.com>]

Hi Yann,

sorry for the lack of response but I didn't notice the patch. I checked the
links in staging and published the patch to
https://httpd.apache.org/download.cgi (hope that it is ok for you).

Thanks Tom!

Luca

2016-02-02 11:09 GMT+01:00 Yann Ylavic <yl...@gmail.com>:

> On Wed, Jan 20, 2016 at 11:24 PM, Yann Ylavic <yl...@gmail.com>
> wrote:
> >
> > Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files
> > are under https://*.apache.org's certification?
>
> Assuming lazy consensus, committed in r1728066.
>
> Thanks Tom Fredrik.
>
> Regards,
> Yann.
>

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Luca Toscano <to...@gmail.com>]

Hi Yann,

sorry for the lack of response but I didn't notice the patch. I checked the
links in staging and published the patch to
https://httpd.apache.org/download.cgi (hope that it is ok for you).

Thanks Tom!

Luca

2016-02-02 11:09 GMT+01:00 Yann Ylavic <yl...@gmail.com>:

> On Wed, Jan 20, 2016 at 11:24 PM, Yann Ylavic <yl...@gmail.com>
> wrote:
> >
> > Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files
> > are under https://*.apache.org's certification?
>
> Assuming lazy consensus, committed in r1728066.
>
> Thanks Tom Fredrik.
>
> Regards,
> Yann.
>

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

On Wed, Jan 20, 2016 at 11:24 PM, Yann Ylavic <yl...@gmail.com> wrote:
>
> Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files
> are under https://*.apache.org's certification?

Assuming lazy consensus, committed in r1728066.

Thanks Tom Fredrik.

Regards,
Yann.

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

On Wed, Jan 20, 2016 at 11:24 PM, Yann Ylavic <yl...@gmail.com> wrote:
>
> Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files
> are under https://*.apache.org's certification?

Assuming lazy consensus, committed in r1728066.

Thanks Tom Fredrik.

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

On Thu, Jan 14, 2016 at 9:25 AM, Yann Ylavic <yl...@gmail.com> wrote:
> [cross posting @docs => @dev, full thread
> http://www.gossamer-threads.com/lists/apache/docs/453401]
>
> On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen
> <bf...@blenning.no> wrote:
>>
>> On 14/01/16 01:19, Yann Ylavic wrote:
>>>
>>> as I said earlier, the way you access the
>>> tarball is not that important provided you verify its signature, or
>>> its digests from the official repository only.
>>
>> I understand what you are saying that the proper way is to download
>> the checksums from the correct source, which is self-evident. Now
>> assume you're a new user, and do not have this previous knowledge.
>> This user is security conscious, so the user chooses https on purpose.
>> He would go into (https://httpd.apache.org), where he would find a
>> link taking him to (https://httpd.apache.org/download.cgi), at this
>> point, he would find the link to (http://www.apache.org/dist/httpd/),
>> what I'm saying is in order to have some trust in that link, it
>> _SHOULD_ be https otherwise assuming you could introduce yourself as a
>> MitM, manipulating the signatures would be trivial.
>
> OK, I thought the links to the MD5/SH1/PGP were https: but this is not the case.
> I agree that the origin of these files should be trustable.
>
> @dev: should I s/http:/https:/ for those links (only) in
> ^httpd/site/trunk/content/download.mdtext?
> Or possibly use paths instead (i.e. /dist/httpd/...) so that it
> depends on /download.cgi is accessed?
> Would that be enough for the prod to be updated (via staging)?

Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files
are under https://*.apache.org's certification?

Re: [Bug 55808] File integrity verification using MD5 and SHA1

[Yann Ylavic <yl...@gmail.com>]

On Thu, Jan 14, 2016 at 9:25 AM, Yann Ylavic <yl...@gmail.com> wrote:
> [cross posting @docs => @dev, full thread
> http://www.gossamer-threads.com/lists/apache/docs/453401]
>
> On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen
> <bf...@blenning.no> wrote:
>>
>> On 14/01/16 01:19, Yann Ylavic wrote:
>>>
>>> as I said earlier, the way you access the
>>> tarball is not that important provided you verify its signature, or
>>> its digests from the official repository only.
>>
>> I understand what you are saying that the proper way is to download
>> the checksums from the correct source, which is self-evident. Now
>> assume you're a new user, and do not have this previous knowledge.
>> This user is security conscious, so the user chooses https on purpose.
>> He would go into (https://httpd.apache.org), where he would find a
>> link taking him to (https://httpd.apache.org/download.cgi), at this
>> point, he would find the link to (http://www.apache.org/dist/httpd/),
>> what I'm saying is in order to have some trust in that link, it
>> _SHOULD_ be https otherwise assuming you could introduce yourself as a
>> MitM, manipulating the signatures would be trivial.
>
> OK, I thought the links to the MD5/SH1/PGP were https: but this is not the case.
> I agree that the origin of these files should be trustable.
>
> @dev: should I s/http:/https:/ for those links (only) in
> ^httpd/site/trunk/content/download.mdtext?
> Or possibly use paths instead (i.e. /dist/httpd/...) so that it
> depends on /download.cgi is accessed?
> Would that be enough for the prod to be updated (via staging)?

Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files
are under https://*.apache.org's certification?