Thus said Lonnie Abelbeck on Fri, 01 Jul 2016 15:50:40 -0500: > Indeed, and this requires a bad guy to hack two different servers to > create bogus d ownloads and SHA1's. As usual, well done D. R. Hipp.
It depends on the target of the attack. If it's a single user whose ISP is less than reputable, then it won't matter that the downloads and SHA1's are on different sites. As long as that user can get to encrypted email sessions, then there is at least one mechanism that he can use to obtain the official sums (again, assuming that there is no collusion between his encryped email service and his ISP, or the attacker). Andy -- TAI64 timestamp: 40000000577b030b _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users