Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [SCRIPT] Generate SHA256SUM files for the mirror

X-seq: zsh-workers 54392
From: "Daniel Shahaf" <d.s@xxxxxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: [SCRIPT] Generate SHA256SUM files for the mirror
Date: Fri, 24 Apr 2026 09:39:01 +0000
Archived-at: <https://zsh.org/workers/54392>
Feedback-id: i425e4195:Fastmail
In-reply-to: <77853-1776968850.222575@HnrQ.yjRt.E5EU>
List-id: <zsh-workers.zsh.org>
References: <48ee8f12-f31d-40a2-b6ab-3ceefd7da638@zentaur.org> <e9a84955-070b-4899-90ea-d84051b511cc@app.fastmail.com> <ba9e563f-cda8-4155-9b56-d5885f50d8df@zentaur.org> <77853-1776968850.222575@HnrQ.yjRt.E5EU>

We might want to have rsyncd.conf exclude MD5SUM and SHA256SUM (and possibly *.asc) from the "pub" dataset, thus forcing people to download them from *.zsh.org directly.  This would mean an active attacker with root access to a mirror wouldn't be able to "just" replace the .tar.xz file and recalculate the checksums; they'd have to collide the SHA256 checksum (and possibly forge a signature under the true key) as well.

Follow-Ups:
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Clinton Bunch

References:
- [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Clinton Bunch
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: dana
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Clinton Bunch
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Oliver Kiddle

Messages sorted by: Reverse Date, Date, Thread, Author