Am 18.02.2012 14:40, schrieb Neil Williams:
I think as a start it should be made a policy that any "wrapper" package that downloads code from the net must at least do a strong checksum check on theNot possible to enforce as a 'MUST' because, by definition, third-partydownloaded code.websites will not provide checksums for every possible download mechanism.
Well it's still possible then,... the maintainer can just calculate sums on his own. Of course this does not mean things are secure (the maintainer could already use a forged version)... but at least it helps again single MITM attacks.
Cheers, Chris.