Then why does fossil-scm.org offer checksums at all? Regards, tco2
> On Fr, 2016-07-01, at 12:39, Warren Young <w...@etr-usa.com> wrote: > > On Jun 30, 2016, at 7:21 PM, Todd C. Olson <t...@cornell.edu> wrote: >> >> The checksum file on the down load page only has values for up to v1.34 >> Where do we get the values for v1.35 > > Why do you trust such things in the first case? > > If you’re looking to checksums to protect you against MITM malware injection, > the same MITM can modify the checksum, too. > > If you’re expecting the checksum to protect you against someone hacking the > web site and uploading malware, they can modify the checksums on the web site > at the same time. > > If you’re expecting to copy the checksums somewhere secure for verifying EXEs > later, downloading the current EXE and doing your own checksum gets you the > same benefit with no useful drop in security. > > If you’re looking to these checksums for an integrity check, what kind of > horrible network are you on where Ethernet + TCP checksums are insufficient? > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users