[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Just an idea
On Fri, 02 May 2003 00:01:24 +1000
Shane J Pearson <firstname.lastname@example.org> wrote:
> Jose Nazario wrote:
> > On Thu, 1 May 2003, Shane J Pearson wrote:
> >>If they can modify the packages on the ftp site, they can modify the
> >>sums file too.
> > but this is what's already an accepted risk for the base tarballs in the
> > system.
> Yes, but I don't see how providing a sums file on the ftp sites gives
> any security gains.
> Why would the sums file be any more authoritive than the files it
> references on the same server?
md5 sums not only give you the security that the files contain what they should, but also tell you if they didn't get corrupted in the process of downloading and storing them on disk.
So... Why do the base comp misc man, etc tarballs have their sums in a file ?