>BTW: How do you verify that the hash sum is the correct one? >If you just download the file from somewhere in the internet and take that >hash sum to verify the >same file, it's not of much use, from a security point >of view. It just proofs that it is the very >same file again, but not, that it >is the original file. Smells a little bit like snakeoil security.
I take the hashes from the https secured upstream download repository, and verify them with md5 sha256 after downloading in https the ext-pack itself. the hash validated by me, is then hard-coded in the postinst file, and signed with my personal GPG key, so it is not tamperable anymore. you can see hashes by yourself if you want. https://download.virtualbox.org/virtualbox/5.2.10 G. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1767402 Title: [SRU] hash mismatch or wrong accept-license key trying to install virtualbox-ext-pack 5.2.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virtualbox-ext-pack/+bug/1767402/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
