Am 18.02.2012 18:45, schrieb Philip Hands:
He's talking about stuff like flash-nonfree (or whatever) where we shipa wrapper that wgets the actual tarball for you from the distributor, and checks the checksum of whatever it ends up with.
Yes!
Actually things like this should be done, if nothing better (signatures + trust path) is available... of course it doesn't make things 100% sure, but even if it gets us just some 10% likeliness of noting an attack it's worth it (IMHO).(perhaps if paranoid do the download from elsewhere on a different day, make sure the checksums match),
Cheers, Chris.