[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

Am 18.02.2012 14:40, schrieb Neil Williams:
I think as a start it should be made a policy that any "wrapper" package that downloads code from the net must at least do a strong checksum check on the
downloaded code.
Not possible to enforce as a 'MUST' because, by definition, third-party
websites will not provide checksums for every possible download

Well it's still possible then,... the maintainer can just calculate sums on his own. Of course this does not mean things are secure (the maintainer could already use a forged version)... but at least it helps again single MITM attacks.


Reply to: