Hello: > There is one thing I cannot seem to find on the site, though, and these are > checksums for the builds -- nightly, beta or stable --, which seems to pose a > certain security risk, should one of the mirrors or download servers be > compromised.
How big is that risk in reality? > Would there be any way to add that information to the download pages? Even an > md5 checksum would bring peace of mind to many users and would, at the very > least, help educate the public about the importance of verifying downloads... Do you check the identity of your courier when he/she delivers a parcel to you? The answer is probably no for 99% of people. Should we be doing this? In all honesty, even if I checked the courier's credentials, I have no way of knowing they are authentic. In the end it t depends on how paranoid we are. I usually grant trust to people every day, taking people (or businesses ) at face value is a reflection of how we view our world. All a check sum would do is confirm that the correct one for that file, not its authenticity. Its very self-referential. Anyone capable of breaching the security of a server like these is just as capable of putting the correct check sum for the malicious file he just slipped onto the Camino servers. What is true is that I have faith in the people who have been working on this project ... this extends to the choices they make about the security of their servers. It is part and parcel of the work of a a development team. There is a kind of chain of trust here which enables us to act in a somewhat less paranoid mode than some suggest. > What is the opinion of the community regarding this matter? We trust the developers integrity on this project as well as that of the Mozilla organization. I am quite aware of the security risks on the Internet, but I believe there is more risk in someone successfully redirecting traffic to a fake website than someone successfully inserting a malicious file into these servers. I've chosen trust in place of paranoia. -- David Fedoruk B.Mus. UBC,1986 Certificate in Internet Systems Administration, UBC, 2003 "Music is enough for one's life time, but one life time is not enough for music" Sergei Rachmaninov _______________________________________________ Camino mailing list [email protected] http://mozdev.org/mailman/listinfo/camino
