On Wed, Dec 05, 2007, STeve Andre' wrote: > Yes, one can dismiss the "benefits". Think about what an MD5 (or any > other cyptographic) checksum means. If the OpenBSD site publishes > that list, how does something more complicated help?
> Answer: it doesn't. Wrong. If someone cracks a website, then he can put up a modified binary and a modified MD5 checksum. Creating a (digital) signature (with the right key) is significantly more complex. Using CDs to distribute the code make the attack of course rather complicated. Someone actually did the former with sendmail.org (to distribute a version of sendmail with a backdoor). The problem was only noted because users checked the (digital) signature.
