-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Bryan wrote: > as you know, file size has nothing to do with integrity or matching > checksums, except that you know if the file size is different then the > checksums can't match...
Untrue; the set of possible files (and their sizes) that match a particular checksum is infinite. The point is that _finding_ even one file from that set is supposed to be hard... but it isn't, for flawed-but-popular checksums (such as MD5). MD5 is only reasonable assurance of integrity if (a) you also verify the file size (it's currently still "hard" to match both file size _and_ MD5 sum), or (b) you discount the possibility of intentional meddling (an attacker). (But since we're only talking about guarding against transmission errors, (b) is probably a safe assumption: or if it isn't, then there's probably nothing you could do about it, since if they can modify the message they can also modify the checksum.) > the easiest solution if you're in control of the server would probably > be to use the Content-MD5 header and a download program that supports > it. I don't know if wget does; probably not. Not currently. - -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer. Maintainer of GNU Wget and GNU Teseq http://micah.cowan.name/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpvRBUACgkQ7M8hyUobTrGTKQCbBty9+FUQqnFj13DnmqEcZWdS UDMAn0NgoILX9QCfITJ+/6nh7lr7CpPe =gHMs -----END PGP SIGNATURE-----
