> Jason, all ,uppercased FREE, software as you put it, that is > worth its salt, provides > for md5 or sha1 checksums, at the least and some provide gpg > signature files.
Just out of curiosity, if someone can hijack the download location so that you get an infected version of this product, do you think they'll be unable to provide MD5 or SHA1 checksums for it on a forged web page as well? I'm really not sure how or why you think this increases security. Especially since both the web page and the download are on the same server. GPG signing is a little better in that you obtain the key once and it must remain consistent in order to pass the check. At least there, if you get the correct public key to begin with, you can be somewhat sure the code is legit as long as the signature verifies. Doing so using a publicly verifiable cert would be even better... Nevertheless, doing all this takes time. It's something Nigel could add to his to-do list, but since he seems to struggle just keeping up with releases, I rather doubt that it'll get done any time soon. Note that the release cycle here does NOT match the main ClamAV project. It is always built from the latest CVS code, not from a released snapshot, so the versions don't match either. Honestly, I don't think Nigel intends this as mission-critical software. Not that some of us don't use it that way. So I can see why no effort has been made to generate signatures. That said, I can see your point too. Certainly, setting up GPG, providing a public key and signatures for the downloads isn't all that difficult and many other public projects do just that. I'm sure a simple batch file could be created that would generate the GPG signature of a file so that once set up, the effort would be minimal. GPG is available for Windows. I use it here to verify SpamAssassin rule updates. Even there, it's not requried. But it was easy to set up, so I did. A little extra security on stuff you depend on is always welcome. Enough rambling for today... Bret _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
