[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU-linux-libre] Help users to verify their downloads
From: |
Ineiev |
Subject: |
Re: [GNU-linux-libre] Help users to verify their downloads |
Date: |
Tue, 19 Jun 2018 01:55:35 -0400 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Mon, Jun 18, 2018 at 08:47:11PM -0400, bill-auger wrote:
> on the one hand there are checksums, often in files named MD5SUMS, SHA256SUMS,
> and similar
...
> anyone with a completed
> download could modify it and create a new checksum that will match the
> modified
> file
...
> on the other hand, files that were signed with a GPG key are attributable to
> the
> person who authored it
...
> the original
> signature of the distro developer would not be valid against the modified
> version - that person could sign it with their own GPG key; but that would
> obviously be not one of the official keys published on the distro's website
Perhaps you should also explain how MITMing files with checksums on distro's
site differs from MITMing the official keys on the same site.
signature.asc
Description: Digital signature
- [GNU-linux-libre] Help users to verify their downloads, Donald Robertson, 2018/06/18
- Re: [GNU-linux-libre] Help users to verify their downloads, Ludovic Courtès, 2018/06/20
- Re: [GNU-linux-libre] Help users to verify their downloads, Donald Robertson, 2018/06/20
- Re: [GNU-linux-libre] Help users to verify their downloads, Denis 'GNUtoo' Carikli, 2018/06/24
- Re: [GNU-linux-libre] Help users to verify their downloads, Dmitry Samoyloff, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, bill-auger, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, bill-auger, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/25