On Sun, Aug 16, 2009 at 12:05:08PM +0300, ?????????????? ???????????? wrote: > Is that so? The torrent file you download from debian (= you trust > that), doesn't contain the checksum?
If you're verifying the checksum, then you implicitly don't trust the file 100%. And you shouldn't have 100% trust in any file obtained over the public internet unless solid end-to-end encryption is in place to secure the transfer against man-in-the-middle attacks, DNS-based attacks (which could result in you downloading from a different source than you think you're getting it from), etc. This goes double for any sort of p2p download, since the whole point of p2p downloads is that you're getting small pieces of the file from many different sources, meaning that any one of those sources could potentially have maliciously altered the pieces they're giving you. If you don't trust the file 100%, then why would you trust the checksum it contains? A maliciously-altered file would almost certainly also contain a new checksum which matches the altered version of the file. Always obtain your checksums via an alternate (cryptographically- secured) path, not directly from the data they're being used to verify. -- Dave Sherohman -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
