On Mon, Nov 12, 2007 at 03:14:32 +0100, Björn Persson <listor3.rombobeorn@xxxxxxxxxx> wrote: > söndagen den 11 november 2007 skrev Rahul Sundaram: > > http://fedoraproject.org/verify is up. Would be added to the download > > page soon. > > That page says, quite correctly, that the downloaded file should be verified > for security and integrity. Then it says that if the file was downloaded via > Bitorrent it has already been verified. Is that really so? As far as I know > Bittorrent verifies for integrity but not for security – that is, it guards > against errors in the download process but not against a maliciously modified > torrent. Does Bittorrent verify some cryptographic signature that I don't > know about? It guards against malicious peers. If you somehow bad a bad torrent file that pointed you to the wrong place to start the download, you could get a bad copy.
