Re: leaks in our only-signed-software fortress
Am 18.02.2012 18:45, schrieb Philip Hands:
He's talking about stuff like flash-nonfree (or whatever) where we
a wrapper that wgets the actual tarball for you from the distributor,
and checks the checksum of whatever it ends up with.
Actually things like this should be done, if nothing better (signatures
+ trust path) is available... of course it doesn't make things 100%
sure, but even if it gets us just some 10% likeliness of noting an
attack it's worth it (IMHO).
(perhaps if paranoid do the
download from elsewhere on a different day, make sure the checksums