[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Checksums on downloads

I thought the checksums were just for checking against corrupt bits in the communication, not a security feature.

- henrik

19 sep 2012 kl. 09:39 skrev Glyn Normington <gnormington@xxxxxxxxxx>:

A user has pointed out that checksums downloaded over HTTP do not really add any security since a man-in-the-middle could substitute a checksum to match a substituted download. So why do we bother having these checksums? Would it be better to enable the checksums to be downloaded over https or does that put too much load on the mirrors?

(Of course, the user prefers downloads to be signed, but that's another matter.)


cross-project-issues-dev mailing list