What to do if upstream does not provide hashes for tarballs?

Joshua Root jmr at macports.org
Tue Nov 25 23:36:33 PST 2014


On 2014-11-26 17:40 , Leo Singer wrote:
> Hi,
> 
> I maintain one port (ds9) for which the upstream source tarball is posted on an http (no TLS) server. When I uploaded the initial version of the port, I recorded the hashes that I calculated from the tarball. There is an update available. I asked the developer if he could put a cryptographic hash on an https server. He sent me an RMD160 and a SHA1 hash, but in an unsigned e-mail. So technically, I have no way to check that the sources have not been tampered with. I don't think upstream has the resources to set up an https server.
> 
> Am I being way too paranoid? Should I just take the sources and hashes that I have?

Sounds like a healthy level of paranoia to me. Unfortunately, sometimes
upstream just doesn't publish hashes or sign anything, and there isn't
much you can do (assuming you don't have the time to conduct an audit of
the source).

In general, you take precautions proportional to the value of what an
attacker would gain access to if they managed to insert a trojan.

- Josh


More information about the macports-dev mailing list