checksum suggestion
Wolfgang S. Rupprecht
wolfgang.rupprecht+gnus200906 at gmail.com
Fri Jun 19 20:05:12 UTC 2009
Bill Davidsen <davidsen at tmr.com> writes:
> Security note: any checksum is only as secure as the source of the
> checksum.
Very true. One has to ask why bother having a checksum at all??? Why
not just digitally sign the iso directly (with a detached signature).
Digital signatures are just hash-digests of the object which have been
individually signed.
Signing the iso's directly (instead of signing a checksum file) solves
two problems: 1) one knows that the checksum hasn't been tampered with
and 2) the mechanics of which checksum command to use is hidden from the
user. There is also another slight advantage, newbies don't end up
comparing the checksums by hand if they don't notice the "-c" flag to
sha256sum.
-wolfgang
--
Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11
More information about the fedora-list
mailing list