Carlos E. R. wrote:
The Friday 2007-04-06 at 20:41 +0200, Anders Johansson wrote:
Should I remind you that SuSE/Novell uses torrent to distribute the iso images of the distribution? Indeed, the "virus" that SuSE distributes is the one I have installed in my system, alive and running - it is called "opensuse linux"! That doesn't change the fact that bittorrent in itself doesn't have security. It also doesn't change the fact that a checksum is not a security feature. It only helps you ensure that what you get is what the other side sent. In the end, you're still stuck with the question "do I trust the sender". Bittorrent doesn't help you with that
And that's way more than what ftp does: I normally get what the other side sent, with no integrity check. The same as any other file transfer protocol, be it ftp, http, samba, nfs... you name it, I have to trust what the other side sends. With torrent at least integrity is checked.
You are missing the point: torrent, in the way that Novell uses it to distribute opensuse, is as secure as can be. It is they who post the link with the checksums, and it is they who put the seeds. We don get those from out there in the wild.
Bittorrent relies on replication on mutliple source servers so that the client can obtain data from multiple sources. To some extent it sidesteps the bandwidth and server load issues, but there is the potentially dangerous assumption that the source servers concerned are securely maintained by people of good intention. (There are also a few domestic router/modems that choke under the number of open connections that bittorrent can accumulate but that is a separate issue). Checksums as it has been already pointed out provide no security, only a guarantee of the integrity of the source files, and as such are essential for technologies such as bittorrent to work. However, checksum + datasource checks can be gimmicked (though in the instance of bittorrent such gimmickry is unlikely to work). If should also be noted Novell have resources that most individuals do not have to monitor the distribution and flag possible problems.