OT: Whose packages to use?
Kenneth Brody
kenbrody at bestweb.net
Fri Apr 28 06:19:32 PDT 2006
Quoting Fairlight (Thu, 27 Apr 2006 23:11:21 -0400):
[...]
> The point is though, even if MD5 sum files are generated for a binary
> dist, they don't really prove much. If you can manage to replace the
> dist, you can manage to replace the md5 file, unless they're kept on
> separate servers. I've always failed to see the trust chain in people
> providing them for exactly that reason. If they're sitting in the
> same directory on the same server, I think it's worthless. If there
> were two separate servers to crack, that might make it a bit more
> trustworthy.
On the other hand, you also have cases where the main distrib is made
in Norway or Germany, but you'd much rather download from something a
bit more local. Get the MD5s from the horse's mouth, and then download
from some local "get your free distribs here -- we promise we didn't do
anything bad to them" site. (As you said, this falls under the "kept
on separate servers" category. But it's not an uncommon scenario.)
--
KenBrody at BestWeb dot net spamtrap: <g8ymh8uf001 at sneakemail.com>
http://www.hvcomputer.com
http://www.fileProPlus.com
More information about the Filepro-list
mailing list