On 7/1/2016 10:35 AM, Warren Young wrote:
On Jul 1, 2016, at 11:13 AM, Todd C. Olson <t...@cornell.edu> wrote:
Then why does fossil-scm.org offer checksums at all?
Better question: why does any download site offer checksums?
One answer is mirrors. If a download is widely mirrored, then one might
have reason for concern that a third-party provided mirror might be
serving up modified content. Having the official site publish one or
more checksums is a cheap way of providing some assurance that hasn't
happened. A cryptographic signature would be stronger, but enough harder
for end users to verify that it would not be checked at all.
It did happen to a number of iOS developers in China recently. They were
of the habit of getting developer tools from a mirror site that was far
closer to them (by bandwidth and download time measures) than the
official Apple sites. The tools they got included a modified toolchain
that produced iOS app with backdoor access. That also passed all Apple
review stages since they were linked against "official" libraries.
That said, fossil doesn't provide an automated pool of mirrors hosted at
third party providers so this would be less of a concern.
--
Ross Berteig r...@cheshireeng.com
Cheshire Engineering Corp. http://www.CheshireEng.com/
+1 626 303 1602
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
