It's probably also worth mentioning that checking GPG signatures is also what
the package manager does when you install programs from the Trisquel repo.
Who knows. Didn't it happen with GNU/Linux Mint?
https://blog.linuxmint.com/?p=2994
Don't forget that kernel.org was also compromised. If someone cracks a server
to replace the downloadable programs they could also replace the checksums if
they live in the same place. The attacker already
It's not helpful when the attacker can both add their own malicious version
and also alter the posted checksums so that they match.
How likely are we to fall victims of such an offence?
It's not helpful when the attacker can both add their own malicious version
and also alter the posted checksums so that they match.
A better option is probably things like GPG signatures. Assuming that you
trust the key (which is a whole different topic with assorted issues) then
you can
In most cases I only install software from the Trisquel repo but for instance
for Trisquel itself, replicant images etc I download the install files and
verify them with shasum and gpg. I thought tha such verification is (or can
be) crucial to security - but perhaps it is not as useful as I
Wasn't there also a case with Linux Mint?
He's not right in terms of his company hosting the download infrastructure
being any kind of assurance of security. Not too many years ago an extremely
popular Windows utility called CCleaner had its download servers hacked, and
it was serving up pure malware as "CCleaner updates" to some of
I wish to install Zotero (a powerful reference manager which is frees
software). Unfortunately Zotero is not in Trisquel's repository (I wonder why
not?). Hence one has to download the install file from the zotero.org. They
don't provide checksums or other means for verification. On the
