On Monday 09 April 2007, David Brodbeck wrote:
Michael Skiba wrote:
...sure it'll be possible to have two files with the same, the point is, that it is almost impossible to make use of it to attack something, since the file with the same md5sum must be valid and contains the destructive code and this will be rather difficult.
Right. On the other hand, if someone has access to the web server to plant their malicious files, they also have access to the files that hold the checksums. So in practice checksums are good protection against files corrupted in transit, but rather weak protection against malicious modifications. To check for that, you'd use PGP and get the public key from a keyserver or some other source, *not* from the webserver you downloaded the file from.
Unless the checksum's are signed, getting the pgp key will do you no good. If you suppose that the web site can be easily compromised, why not order a CDrom? As is usual for this board, the entire topic has now spiraled out of control into a fit of paranoia, fear, and suspicion. Perhaps there are people who should not use computers at all. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org