Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [SCRIPT] Generate SHA256SUM files for the mirror

X-seq: zsh-workers 54393
From: Clinton Bunch <cdb_zsh@xxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: [SCRIPT] Generate SHA256SUM files for the mirror
Date: Fri, 24 Apr 2026 07:19:58 -0500
Archived-at: <https://zsh.org/workers/54393>
In-reply-to: <74be4517-dadf-49da-8ccc-22b6427dd81f@app.fastmail.com>
List-id: <zsh-workers.zsh.org>
References: <48ee8f12-f31d-40a2-b6ab-3ceefd7da638@zentaur.org> <e9a84955-070b-4899-90ea-d84051b511cc@app.fastmail.com> <ba9e563f-cda8-4155-9b56-d5885f50d8df@zentaur.org> <77853-1776968850.222575@HnrQ.yjRt.E5EU> <74be4517-dadf-49da-8ccc-22b6427dd81f@app.fastmail.com>

On 4/24/2026 04:39, Daniel Shahaf wrote:

We might want to have rsyncd.conf exclude MD5SUM and SHA256SUM (and possibly *.asc) from the "pub" dataset, thus forcing people to download them from *.zsh.org directly.  This would mean an active attacker with root access to a mirror wouldn't be able to "just" replace the .tar.xz file and recalculate the checksums; they'd have to collide the SHA256 checksum (and possibly forge a signature under the true key) as well.

I think that would make these bots more likely to flag the mirrors. Maybe clear sign the SUM files?

References:
- [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Clinton Bunch
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: dana
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Clinton Bunch
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Oliver Kiddle
- Re: [SCRIPT] Generate SHA256SUM files for the mirror
  - From: Daniel Shahaf

Messages sorted by: Reverse Date, Date, Thread, Author