That is, of course, only useful if the distribution itself is not compromised.
In case it is truly compromised, including signing and sha256 infrastructure, I do not think you can do much about it. Hope it helps, Tomas -- This is precisely what I'm trying to understand. What's preventing someone from building & distributing a Linux distro that's intentionally compromised? And how would one go about determining that the kernel in their distro is the real McCoy? And if I understand how checksums are used correctly, that's only for verifying that distro or package isn't corrupted during download. So there's no "chain of custody", for lack of a better term, digital signature where one could look at the kernel running on a Linux system and trace it back to the original Linux kernel that was released? _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
