[fpc-pascal] FPC 3.0.4 released!

Tomas Hajny XHajT03 at hajny.biz
Fri Dec 1 00:35:11 CET 2017


On Fri, December 1, 2017 00:18, Graeme Geldenhuys wrote:
> On 2017-11-30 22:26, Tomas Hajny wrote:
>> Checksums may indeed be created / calculated rather easily. However,
>> that
>> is not enough. The checksums must get to the end user in secured way as
>> well, otherwise it makes no sense.
>
>
> As the saying goes... Take a page from the playbook of FreeBSD or any
> Linux distro for that matter.
>
>    http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/
 .
 .

Sorry, I know that this is being done, but I don't see how is that more
secure than just downloading the file via HTTPS. As long as the checksums
are not signed, they may be tampered with (or not) the same way as the
original files. Obviously, there are more secure mechanisms (let's take
Debian packages with their signatures as an example), but these require
more overhead (especially with different release makers for different
targets) and still end up with requiring some root trusted element at the
beginning (which usually needs to be downloaded via the same mechanisms as
the installation files in the end which implies that it's still as secure
as the download channel used for getting the files).

Tomas





More information about the fpc-pascal mailing list