From: Rene Rivera (grafik.list_at_[hidden])
Date: 2004-12-20 21:01:18
Daryle Walker wrote:
> I dislike the idea of executable-wrapped archives in general. You
> only have a creator's word that the file isn't actually a Trojan
> and/or infected with a virus. (Even a trustworthy creator may get
> overridden by a cracker's altered archives.)
That is true regardless of type of archive. The source archives are just
as susceptible to tampering as the executable ones. And such tampering
has occurred in other open source distributed material.
> This is late, and it seems that you guys agreed to an
> extractor-included version as an addition instead of a replacement.
> Maybe we should add a list of MD-5, or other checksum, values for
> each of our archives.
Checksums provide only a thin veil of assurance. There is no security
improvement as the checksum is susceptible to the same tampering. If you
really want secure assurance you would need some form of trusted public
key signature on the archives.
-- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org - grafik/redshift-software.com - 102708583/icq
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk