This is an openssl security meta-question. I notice that the tarballs also include a SHA1 digest. What's the point?
1 - If anyone has authority to update the tarball with a counterfeit, can't they also update the SHA1. 2 - The web site isn't protected by ssl (ironic). A MIM altering the tarball could similarly alter the SHA1. The FAQ implies that one should get the SHA1 from the main site and the tarball from a mirror. Is that the point? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646)
