Re: Is there any security risk using p2p client ?

[Steve Lamb <grey@dmiyu.org>]

Dave Sherohman wrote:
> If you're verifying the checksum, then you implicitly don't trust the're
> file 100%.

[ snippage ]

> Always obtain your checksums via an alternate (cryptographically-
> secured) path, not directly from the data they're being used to verify.

    Wow, failure to understand torrents.  Ok, if we obtain the .torrent from a
Debian site then it is a de facto checksum.  The .torrent contains a checksum
for every block of the torrent.  IE, the checksum is not coming from the file
you're downloading via the P2P client, it came from the (presumably) secure
source you're advising them to go to after the fact.


-- 
         Steve C. Lamb         | But who decides what they dream?
       PGP Key: 8B6E99C5       |   And dream I do...
-------------------------------+---------------------------------------------