Re: [PATCH] build: sign tarball instead of sha256sum

Subject: Re: [PATCH] build: sign tarball instead of sha256sum

Date: Thu, 14 Mar 2019 22:49:44 -0300

To: Daniel Kahn Gillmor, Carl Worth, Adam Majer,


From: David Bremner

Daniel Kahn Gillmor <> writes:

> So for some existing version Y of notmuch, if an attacker takes
> notmuch-Y.tgz and notmuch-Y.tgz.asc and renames them both to
> notmuch-Z.tgz and notmuch-Z.tgz.asc, they can make it look like a new
> version (version Z) of notmuch is available!  The only way to detect the
> attack is to store a log of timestamps of previous releases, and try to
> compare timestamps (though this itself can be confusing and wrong if we
> were to maintain multiple branches concurrently).  This permits a
> "rollback" or "version freeze" attack, which we probably don't want to
> encourage.

OK, so apparently this is a problem for almost every project, including
GnuPG? That's mildly terrifying...

I don't mind either way, but it does seem like there is a tradeoff,
since with the previous version I suspect many people are just not
verifying the signature (e.g. can uscan in debian handle the sha256sum

notmuch mailing list