Administrator
|
After heartbleed, I've become more security-conscious/paranoid than usual. Here's a little snippet that compares a downloaded Ubuntu iso file to the MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than crossing fingers and hoping for the best on the unsecured http mirrors...
Gofer it smalltalkhubUser: 'SeanDeNigris' project: 'Superuser'; configuration; loadStable. "#inform: success or signal an error" SuUbuntuHash verify: 'ubuntu-12.04.4-desktop-amd64.iso' asFileReference.
Cheers,
Sean |
Administrator
|
Here's a corresponding version for Debian. It's not complete yet. Assuming SHA512SUMS and SHA512SUMS.sign are in the same directory, it will verify SHA512SUMS, and then verify SHA512SUMS.sign against the key information at https://www.debian.org/CD/verify . That is the only secure channel that I could find to check against. SuDebianKey verify: 'SHA512SUMS' asFileReference. After verifying SHA512SUMS, you would do the same thing that we did before for Ubuntu - find the hash for the iso file and make sure it matches.
Cheers,
Sean |
In reply to this post by Sean P. DeNigris
On Tue, Apr 15, 2014 at 3:22 AM, Sean P. DeNigris <[hidden email]> wrote:
> After heartbleed, I've become more security-conscious/paranoid than usual. > Here's a little snippet that compares a downloaded Ubuntu iso file to the > MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than > crossing fingers and hoping for the best on the unsecured http mirrors... thanks Sean, I will use it in a few days when new Ubuntu is out. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." Winston Churchill |
Damien Cassou writes: > On Tue, Apr 15, 2014 at 3:22 AM, Sean P. DeNigris <[hidden email]> wrote: >> After heartbleed, I've become more security-conscious/paranoid than usual. >> Here's a little snippet that compares a downloaded Ubuntu iso file to the >> MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than >> crossing fingers and hoping for the best on the unsecured http mirrors... > > > thanks Sean, I will use it in a few days when new Ubuntu is out. Me too :) Nico -- Nicolas Petton http://nicolas-petton.fr |
In reply to this post by Sean P. DeNigris
2014-04-15 2:22 GMT+01:00 Sean P. DeNigris <[hidden email]>: After heartbleed, I've become more security-conscious/paranoid than usual. You know that quote about secure computers that ends with "and even then, I´m not that sure", right? :D
Cheers, Sergi |
In reply to this post by Sean P. DeNigris
On Tue, Apr 15, 2014 at 3:22 AM, Sean P. DeNigris <[hidden email]> wrote:
> After heartbleed, I've become more security-conscious/paranoid than usual. > Here's a little snippet that compares a downloaded Ubuntu iso file to the > MD5 provided via SSL by Ubuntu. Not foolproof, but more peace of mind than > crossing fingers and hoping for the best on the unsecured http mirrors... Your code sends #newTempFile but that doesn't exist. FileReference newTempfile. I tried in both Pharo 2 and 3. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." Winston Churchill |
Administrator
|
On Apr 21, 2014, at 3:36 PM, Damien Cassou [via Smalltalk] <[hidden email]> wrote:
> Your code sends #newTempFile but that doesn't exist. Arg… forgot to specify a dependent package. Uploading a new config now… should work…
Cheers,
Sean |
On Tue, Apr 22, 2014 at 2:04 AM, Sean P. DeNigris <[hidden email]> wrote:
> Arg... forgot to specify a dependent package. Uploading a new config now... > should work... nope, still same problem -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." Winston Churchill |
Administrator
|
Of course because I forgot to push the new config :/ Thanks for beta testing! Now, with Dale's advice on how to disable the package cache when simulating a load from the user's perspective before publishing a config (http://forum.world.st/Disabling-package-cache-tp4755672p4755675.html), I am pretty sure it will work. But I'm at work all night, so I will push to sthub tomorrow morning.
Cheers,
Sean |
Administrator
|
Done. You should now be able to insert and verify your own file into the following: Gofer it smalltalkhubUser: 'SeanDeNigris' project: 'Superuser'; configuration; loadStable. "#inform: success or signal an error" #SuUbuntuHash asClass verify: 'ubuntu-12.04.4-desktop-amd64.iso' asFileReference.
Cheers,
Sean |
Administrator
|
In reply to this post by Damien Cassou
Did it finally work or did you get tired of beta testing? ;)
Cheers,
Sean |
On Thu, May 8, 2014 at 7:46 PM, Sean P. DeNigris <[hidden email]> wrote:
> Did it finally work or did you get tired of beta testing? ;) ok, I've just tried. This instruction NBMacShell run: 'md5 "', self fullName, '" > "', tmpFile fullName, '"'. returns 32512 and does not write anything in tmpFile. I'm on Linux and I'm not sure NBMacShell is supposed to work there. Moreover, #secureUrl is sent on instance side but only implemented on class side. Best -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." Winston Churchill |
Free forum by Nabble | Edit this page |