the day that ghc binaries are MITM'd is the day we've failed to avoid success :) On Sat, Feb 15, 2014 at 1:40 AM, Magnus Therning wrote:

On Sat, Feb 15, 2014 at 01:11:53AM -0500, Carter Schonwald wrote:

...

just dl and hash it.

Yes, to ensure it's the exact same trojan you install on all your machines ;)

/M

-- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus

The results point out the fragility of programmer expertise: advanced programmers have strong expectations about what programs should look like, and when those expectations are violated--in seemingly innocuous ways--their performance drops drastically. -- Elliot Soloway and Kate Ehrlich

Hosting your own copy doesn't mean you can trust it. Read http://cm.bell-labs.com/who/ken/trust.html just dl and hash it. On Sat, Feb 15, 2014 at 12:11 AM, Alexander Solla wrote:

Hi everybody,

I'm building up a body of SaltStack "states" for developing with and running Haskell web-apps. Since I am hoping my project will go big (don't we all?) I'm hoping to do things right, the first time (up to the constraints of marginal costs...)

So, to that end, I'm trying to go a little overboard on the systems security front, since the costs are so low.

Is there any where I can find SHA hashes for the official GHC builds? In particular, I'm looking for a hash for the file located at:

https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-x86_64-unknown-linux.tar.bz...

I suppose downloading via an encrypted http connection goes a long way to mitigate MITM, etc. And I realize that long term, I'll want to host my own copy (and I will). But that is quickly sliding up the cost curve. Plus, I won't know if the copy I host will be okay unless I get the hash from a trusted source.

Is there some place to get that hash?

Thanks!

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

* Peter Simons [2014-02-15 15:54:57+0100]

Hi Alexander,

...

Is there any where I can find SHA hashes for the official GHC builds?

I don't think the GHC folks publish such hashes anywhere. You might want to create a Trac ticket to that extend, because they really should, IMHO.

At the time being, there is no way for you to authenticate those binaries.

This is one thing I never really understood. Can someone explain it to me? I suppose that SHA hashes are meaningless unless they are PGP-signed by, say, Austin? So what's the advantage over distributing a PGP signature for the tarball itself? Roman

* Peter Simons [2014-02-15 16:10:55+0100]

Hi Roman,

...

I suppose that SHA hashes are meaningless unless they are PGP-signed by, say, Austin?

well, there are shades of gray. Technically speaking, even PGP-signatures are meaningless unless you've personally verified the fingerprint of the PGP-key that signed the release with the owner of the key. If you didn't do that, you cannot trust the key, and hence its signature doesn't mean anything.

Obviously. But PGP has at least some value (it's useful for those who trust the key), while just an SHA sum... I don't know. Also, a PGP signature is itself a signed hash, so there's hardly any "security" reason to prefer plain SHA to PGP.

In practice, however, a valid PGP-signature *does* add some security. It's not 100% secure, but it's certainly better than no signature at all.

The same applies to publishing hashes. A published hash is no guarantee that the binary is authentic, but having one is certainly better than *not* having one. Right?

In that case, SHA256 of https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-i386-unknown-linux.tar.bz2 is eb9bd2ca86c72c7f2ba9f2301e2ae04c44aa4828cf1180548619aa4c040a7ff0. HTH. Roman

bzip2 already includes a CRC-32 checksum that should suffice for non-security purposes. * Kyle Marek-Spartz [2014-02-15 10:20:45-0600]

It is also useful for non-security reasons, e.g. data corruption due to a poor network connection or bad file system.

-- Kyle Marek-Spartz

On February 15, 2014 at 9:41:55 AM, Roman Cheplyaka (roma@ro-che.info) wrote:

...

* Peter Simons [2014-02-15 16:10:55+0100]

...

Hi Roman,

...

I suppose that SHA hashes are meaningless unless they are PGP-signed by, say, Austin?

well, there are shades of gray. Technically speaking, even PGP-signatures are meaningless unless you've personally verified the fingerprint of the PGP-key that signed the release with the owner of the key. If you didn't do that, you cannot trust the key, and hence its signature doesn't mean anything.

Obviously. But PGP has at least some value (it's useful for those who trust the key), while just an SHA sum... I don't know.

Also, a PGP signature is itself a signed hash, so there's hardly any "security" reason to prefer plain SHA to PGP.

...

In practice, however, a valid PGP-signature *does* add some security. It's not 100% secure, but it's certainly better than no signature at all.

The same applies to publishing hashes. A published hash is no guarantee that the binary is authentic, but having one is certainly better than *not* having one. Right?

In that case, SHA256 of https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-i386-unknown-linux.tar.bz2 is eb9bd2ca86c72c7f2ba9f2301e2ae04c44aa4828cf1180548619aa4c040a7ff0. HTH.

Roman - signature.asc, 836 bytes _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe