Why go to all this troubble? Just post MD5 sums on the web page of the various distributions.
-----Original Message----- From: Karsten Lentzsch <[email protected]> To: Karsten Lentzsch <devl at freenetproject.org> Date: Thursday, June 07, 2001 7:27 AM Subject: [freenet-devl] A possible attack >Hello - > >The current binary Freenet distributions contain an unsigned >freenet.jar. I'd recommend that one of the administrator signs >the JAR using a public key certificate verified by a CA. > >Otherwise, an evil party could modify the JAR, distribute >it on a "mirror", allowing it to do all kind of evil stuff. > >If we would use a JNLP (Java Web Start) enabled deployment, >the code would be automatically verified during startup. >As an alternative, users that have a Java Development Kit >could verify the code's data integrity, using the jarsigner tool. > >Karsten Lentzsch > > >_______________________________________________ >Devl mailing list >Devl at freenetproject.org >http://lists.freenetproject.org/mailman/listinfo/devl > > _______________________________________________ Devl mailing list Devl at freenetproject.org http://lists.freenetproject.org/mailman/listinfo/devl
