Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99687
Return-Path: <neclimdul@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98285 invoked from network); 1 Jul 2017 17:06:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Jul 2017 17:06:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=neclimdul@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=neclimdul@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.49 as permitted sender)
X-PHP-List-Original-Sender: neclimdul@gmail.com
X-Host-Fingerprint: 74.125.82.49 mail-wm0-f49.google.com  
Received: from [74.125.82.49] ([74.125.82.49:36589] helo=mail-wm0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D5/71-60825-786D7595 for <internals@lists.php.net>; Sat, 01 Jul 2017 13:06:16 -0400
Received: by mail-wm0-f49.google.com with SMTP id 62so134601297wmw.1
        for <internals@lists.php.net>; Sat, 01 Jul 2017 10:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=FtQOf+8K5x80n3IMxvAKqRttIFswnOJ8mK8WWPJQJ/0=;
        b=bJpvcVlyTUrtrXg6CjnuY9xCcInsgnPdso+iRX/u22GxcUNuS4MeGTCEdGOm1pfmoj
         M5dR59Ts9XXaC37CA82NHChONZUZur36EIPhcpt1MKQTkuVjEAS9MD+oJBnBVr+L9Vgs
         NVN2MUeoQne8v/9nXkxfYn9Qlq2uQ8Bm09vTxv4NWf5vk74s3drK0mNZE/5sTrSr9ODI
         XGv0JsVjE17bJcaM27bMTK36Npjp8tf530qe95YnkB19lvepOKzgnhDUxG4pAVVWQnfU
         dBuhLpTC6tXSG1i2lXXkMq/ZR9GtGrBCdEwV+UJbxaV5hzjbZd59jA3uOuDfwP8TuhQp
         7W4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=FtQOf+8K5x80n3IMxvAKqRttIFswnOJ8mK8WWPJQJ/0=;
        b=SeEv1cai/uqA4xqwP0n1JqETe/2GtqvQJ7DShR/tNT9jJWLfcNZ6k5AKCGo1cglcEG
         tH9MHVIhgBNOC8IUyowyxZEiUaHdTs/r2a65L65YPQy46lCJGHKIsm1HYRAHzzErcdeZ
         fU+NydXF5nICheA7vi8sSEq0XP1lHK+ow0CSVTgtYeAkjJ0OQccySQCsV8sDBvQIxeTl
         VyIWu0+RKkEQmNAWFL2qFrTh0+uO2SZNyK9g3gteZruMYgt6DdAVV7SRO56KR/v2Vo6S
         IPHuq54lzdeuFQ1OqMNFVdAElBGMBJGxQEiMZR6Th7ZdPhj1W+nHJsdXoibyksjjJFSx
         w/yw==
X-Gm-Message-State: AKS2vOwdt3bFYOShuhGDFXPlv2ed7xepPMRm59XfyUm0e68MwAAqEiaJ
	U2TtYLujFIZPbQPGm4UpCdaLR1MXqQ==
X-Received: by 10.80.134.80 with SMTP id 16mr9198576edt.26.1498928772480; Sat,
 01 Jul 2017 10:06:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAESVnVpOzfGMunLd2Wb1hN=6Os-mr5garDkBgb=5kZYFgtXWfA@mail.gmail.com>
 <CANUQDCjiWTaWcvmAAEymqW2VRPAHEGHpjmgYV0C9LPNq=oGt9Q@mail.gmail.com> <CAESVnVq+iLUBWeKF-tzNqaWqvwrVUVNV=NU6w8PAtiGgaXOmXg@mail.gmail.com>
In-Reply-To: <CAESVnVq+iLUBWeKF-tzNqaWqvwrVUVNV=NU6w8PAtiGgaXOmXg@mail.gmail.com>
Date: Sat, 01 Jul 2017 17:06:01 +0000
Message-ID: <CAO3MkaCJFH9wJ4Cdu0W+wu5YrK7a48BF2joacQQA=evOZxcong@mail.gmail.com>
To: Sara Golemon <pollita@php.net>, Niklas Keller <me@kelunik.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="f403045c1afe070a560553448d05"
Subject: Re: [PHP-DEV] MD5 no longer part of release process
From: neclimdul@gmail.com (James Gilliland)

--f403045c1afe070a560553448d05
Content-Type: text/plain; charset="UTF-8"

On Wed, Jun 28, 2017, 10:26 AM Sara Golemon <pollita@php.net> wrote:

> On Wed, Jun 28, 2017 at 2:58 AM, Niklas Keller <me@kelunik.com> wrote:
> > 2017-06-28 4:19 GMT+02:00 Sara Golemon <pollita@php.net>:
> >> I've pushed two commits to remove MD5 from www.php.net and qa.php.net,
> >> however it should be noted that I left a fair amount of md5 in web-php
> >> because very old releases have neither GPG signatures nor SHA256
> >> checksums, and while MD5 is weak and broken, it's better than nothing.
> >>
> > Can't we just rehash them?
> >
> If we agree that we trust the existing binaries haven't been
> compromised at any point, sure. But at that point we'd be saying
> "Here's a trustable  sha256/gpg signature for a file" when really it's
> "Here's a signature that's only really as trustable as the md5 we used
> to verify it when we rehashed".
>
> In the interest of not presenting a false sense of security, I'd vote
> "No" on that.  Our past few years of releases are more reliably
> signed, and we can be honest about what's in the attic.
>
> That all said, it wouldn't be a terrible idea to anchor some gpg sigs
> of the old archives (in an explicitly flagged repo) just to be able to
> say "They haven't changed since Jun 2017".



The counter argument is "They haven't changed since 2017" is better than
they might have changed yesterday... Especially in a couple years. Or when
things don't get hacked and we want to verify them. They all have published
vulnerabilities so for anyone who cares to look at them that should be good
enough. You could leave the md5 to destinguish them.

That or if we don't trust them enough to sign them, remove them because
we're never going to trust them more than we do today.

--f403045c1afe070a560553448d05--