[cross-project-issues-dev] Checksums on downloads

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[cross-project-issues-dev] Checksums on downloads

From: Glyn Normington <gnormington@xxxxxxxxxx>
Date: Wed, 19 Sep 2012 08:39:07 +0100
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>

A user has pointed out that checksums downloaded over HTTP do not really add any security since a man-in-the-middle could substitute a checksum to match a substituted download. So why do we bother having these checksums? Would it be better to enable the checksums to be downloaded over https or does that put too much load on the mirrors?

(Of course, the user prefers downloads to be signed, but that's another matter.)

Regards,
Glyn

Follow-Ups:
- Re: [cross-project-issues-dev] Checksums on downloads
  - From: Henrik Lindberg

Prev by Date: [cross-project-issues-dev] Last day for Juno SR1 contributions
Next by Date: Re: [cross-project-issues-dev] Sporadic download failures
Previous by thread: [cross-project-issues-dev] Last day for Juno SR1 contributions
Next by thread: Re: [cross-project-issues-dev] Checksums on downloads
Index(es):
- Date
- Thread

Breadcrumbs