Re: [OT] Signed download from sourceforge

To: debian-user@lists.debian.org
Subject: Re: [OT] Signed download from sourceforge
From: Camaleón <noelamac@gmail.com>
Date: Fri, 16 Sep 2011 10:49:04 +0000 (UTC)
Message-id: <[🔎] pan.2011.09.16.10.49.04@gmail.com>
References: <[🔎] CAK00fOLPsqKHYUotQfagntqGFLK6X=mdg=Yw9zxyPmLYUxsUOw@mail.gmail.com>

On Thu, 15 Sep 2011 20:01:08 -0400, Dan wrote:

> I was wondering how to download a binary in a secured way from
> sourceforge.

Uh? :-?

> With debian it is very straightforward, you download it, check the
> md5sum or sha1 and then check the signature.
> 
> In sourceforge I see that you can find the md5 and the sha1 but they are
> both transmited with http and not with https. So, How can I trust the
> source? Do I miss something? Someone can hack the router (for example)

Mmm... "https://"; does not add any extra security layer that solves your 
concern, I mean, with sha1 or md5sum you can ensure the file you download 
is the same as it is in the server and has not beed changed not corrupted.

But now think about it... how do you know the file you are going to 
download is good? Even it is signed it can contain "bad" code >;-)

In brief, adding a secure channel here (like https) does not make sense 
as you are not transferring sensitive information, it's all public :-)

Greetings,

-- 
Camaleón

Reply to:

References:
- [OT] Signed download from sourceforge
  - From: Dan <ganchya@gmail.com>

Prev by Date: Re: Free drivers for AMD Radeon (Vaio S)
Next by Date: Re: Logitech K360 keyboard NumLock behavior gets turned on by Shift keys!
Previous by thread: [OT] Signed download from sourceforge
Next by thread: VMware templates and Disk UUID in Squeeze
Index(es):
- Date
- Thread