Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Hi,
Nicolas George wrote:
> Of course, that does not mean MD5 and SHA-1 should be used nowadays. New
> theoretical attacks are found, keeping using hashes with known weaknesses is
> stupid.
The ISO checksums are provided more for transport verification than
for the fight against intentional mainpulation.
Signing the hash lists by PGP still seems a bit weak as protection.
But well, if Debian armors its ISOs, then it would have to scrutinize
the source of its packages, too.
Most important seems a permanent supervision of the web site content
from not publicly known client machines. Hash sums may be manipulated.
But the whole content of an ISO is either original or not. Easy to spot.
Have a nice day :)
Thomas
Reply to: