Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to verify the the checksums we list in our source distro are correct. But at least by doing this, down stream users of our source distros can rest assured that the dependencies that they are using are the correct ones.
Not if there is a man in the middle attack. If you didn't notice the recent noise w.r.t. DNS pollution, that's the very point of that vector. Had it been exploited, tens of thousands of download users could have been presented with inauthentic maven artifacts, complete with their freshly corresponding checksums. Welcome to the internet. Checksums are not security. They are nothing but error checking.
What's to stop the checksum list being corrupted?
Now you are thinking :) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
