here are 2 stages where the download could be compromised: 1) Man-in-the-middle attacks when you (the user) download the file from the server to your machine, resulting in a file that differs from the one you intended to download. 2) modifications made on the server. The file you downloaded is correct, but the host is malicious.
Start with the hashing though. It covers the basic problems and confirms that the download was completed successfully. This is some good & useful info, most of which I'm familiar with but the > detailed info on the Linux Kernel WoT is new and interesting. Especially > this, "Due to the kernel.org systems compromise, this key has been > retired and revoked. *It will no longer be used to sign future releases > and you should NOT use this key to verify the integrity of any archives. It > is almost certain that this key has fallen into malicious hands."* But this doesn't seem to answer the question if there's a way to determine if the kernel in a distro is the officially released kernel that hasn't been modified. My point being is that here doesn't seem to be anything preventing someone from modifying / compromising the kernel, building a distro with that kernel and distributing it other than the Linux community policing itself. This has become more of interest to me as I test newer distros that don't have decades of a committed developer & user base that has earned their trust. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
