[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

Am 18.02.2012 18:45, schrieb Philip Hands:
He's talking about stuff like flash-nonfree (or whatever) where we ship
a wrapper that wgets the actual tarball for you from the distributor,
and checks the checksum of whatever it ends up with.

(perhaps if paranoid do the
download from elsewhere on a different day, make sure the checksums
Actually things like this should be done, if nothing better (signatures + trust path) is available... of course it doesn't make things 100% sure, but even if it gets us just some 10% likeliness of noting an attack it's worth it (IMHO).


Reply to: