Bill Davidsen <davidsen@xxxxxxx> writes: > Security note: any checksum is only as secure as the source of the > checksum. Very true. One has to ask why bother having a checksum at all??? Why not just digitally sign the iso directly (with a detached signature). Digital signatures are just hash-digests of the object which have been individually signed. Signing the iso's directly (instead of signing a checksum file) solves two problems: 1) one knows that the checksum hasn't been tampered with and 2) the mechanics of which checksum command to use is hidden from the user. There is also another slight advantage, newbies don't end up comparing the checksums by hand if they don't notice the "-c" flag to sha256sum. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
