7 Dec
2016
7 Dec
'16
4:37 a.m.
On 12/03/2016 10:37 PM, Maxwell Anselm via arch-general wrote:
You mean the source files that you downloaded and then hashed...
Yes. If the source files are being modified via a MITM attack (which is trivial if the host uses HTTP) the checksum is still useful.
This sounds a lot like a "solution in search of a problem to fix" and blindly applying any "fix" where it is proveably meaningless really causes credibility (not to mention the Arch KISS philosophy) to take a beating. I'm all for validation and stronger hashes, but applying them in a circumstance where there is no way to validate against any original -- is just bat-shit crazy. -- David C. Rankin, J.D.,P.E.