Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
On 23/02/2016 10:02 PM, Thomas Schmitt wrote:
> Hi,
>
> Nicolas George wrote:
>> Of course, that does not mean MD5 and SHA-1 should be used nowadays. New
>> theoretical attacks are found, keeping using hashes with known weaknesses is
>> stupid.
>
> The ISO checksums are provided more for transport verification than
> for the fight against intentional mainpulation.
> Signing the hash lists by PGP still seems a bit weak as protection.
Sigs can help, but then you need to know that you have the correct
/fingerprint/ and that you trust it. Methods to check trust are
described fairly well at the Tails website (of the Tor project).
They have sigs from Debian devs and others, if you trust those devs,
then you are a long way towards trusting the fingerprint and then you
should be able to trust the signature.
https://tails.boum.org/doc/get/trusting_tails_signing_key/index.en.html
So, if the keys are done right and signing is done with trusted sigs,
well... you should be fine with testing the sig properly.
'
Cheers
A.
Reply to: