Fedora 8 torrents aren't signed!?

Bruno Wolff III bruno at wolff.to
Mon Nov 12 04:38:23 UTC 2007

On Mon, Nov 12, 2007 at 03:14:32 +0100,
  Björn Persson <listor3.rombobeorn at tdcpost.se> wrote:
> söndagen den 11 november 2007 skrev Rahul Sundaram:
> > http://fedoraproject.org/verify is up. Would be added to the download
> > page soon.
> That page says, quite correctly, that the downloaded file should be verified 
> for security and integrity. Then it says that if the file was downloaded via 
> Bitorrent it has already been verified. Is that really so? As far as I know 
> Bittorrent verifies for integrity but not for security – that is, it guards 
> against errors in the download process but not against a maliciously modified 
> torrent. Does Bittorrent verify some cryptographic signature that I don't 
> know about?

It guards against malicious peers. If you somehow bad a bad torrent file
that pointed you to the wrong place to start the download, you could get
a bad copy.

More information about the fedora-list mailing list