>>
>>> Would it not be cleaner if the signature was next to the resource ? Like
>>>
>>> http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt
>>>
>>> Or is that the next step ?
>>>
>>
>> Already there. But a signature like that is not a guarantee if it is
>> downloaded from the same server… especially of that server does not
>> use SSL…
>>
>> The “stack vector” that a checksum protects against is the compromise of a
>> download server, especially untrusted mirrors. For that,
>> the checksum needs to come from some other (trusted) source. E.g. normally
>> it is inlined on the download website.
>>
>> But of course these things are never 100% guarantees, they just make it
>> harder to do bad things.
>
> Ah, OK, I understand, I just think that a shorter/simpler/easier-to-remember
> URL for the signature would be better.
>
I will put them on pharo.org <http://pharo.org/> later, too (in a dedicated
directory). And link them from the download page.
Marcus
