Re: checksum suggestion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bill Davidsen <davidsen@xxxxxxx> writes:
> Security note: any checksum is only as secure as the source of the
> checksum. 

Very true.  One has to ask why bother having a checksum at all???  Why
not just digitally sign the iso directly (with a detached signature).

Digital signatures are just hash-digests of the object which have been
individually signed.  

Signing the iso's directly (instead of signing a checksum file) solves
two problems: 1) one knows that the checksum hasn't been tampered with
and 2) the mechanics of which checksum command to use is hidden from the
user.  There is also another slight advantage, newbies don't end up
comparing the checksums by hand if they don't notice the "-c" flag to
sha256sum.

-wolfgang
-- 
Wolfgang S. Rupprecht              Android 1.5 (Cupcake) and Fedora-11

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux