Fedora 8 torrents aren't signed!?
Bruno Wolff III
bruno at wolff.to
Mon Nov 12 04:38:23 UTC 2007
On Mon, Nov 12, 2007 at 03:14:32 +0100,
Björn Persson <listor3.rombobeorn at tdcpost.se> wrote:
> söndagen den 11 november 2007 skrev Rahul Sundaram:
> > http://fedoraproject.org/verify is up. Would be added to the download
> > page soon.
>
> That page says, quite correctly, that the downloaded file should be verified
> for security and integrity. Then it says that if the file was downloaded via
> Bitorrent it has already been verified. Is that really so? As far as I know
> Bittorrent verifies for integrity but not for security – that is, it guards
> against errors in the download process but not against a maliciously modified
> torrent. Does Bittorrent verify some cryptographic signature that I don't
> know about?
It guards against malicious peers. If you somehow bad a bad torrent file
that pointed you to the wrong place to start the download, you could get
a bad copy.
More information about the fedora-list
mailing list