On Fri, December 1, 2017 00:18, Graeme Geldenhuys wrote: > On 2017-11-30 22:26, Tomas Hajny wrote: >> Checksums may indeed be created / calculated rather easily. However, >> that >> is not enough. The checksums must get to the end user in secured way as >> well, otherwise it makes no sense. > > > As the saying goes... Take a page from the playbook of FreeBSD or any > Linux distro for that matter. > > http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/ . .
Sorry, I know that this is being done, but I don't see how is that more secure than just downloading the file via HTTPS. As long as the checksums are not signed, they may be tampered with (or not) the same way as the original files. Obviously, there are more secure mechanisms (let's take Debian packages with their signatures as an example), but these require more overhead (especially with different release makers for different targets) and still end up with requiring some root trusted element at the beginning (which usually needs to be downloaded via the same mechanisms as the installation files in the end which implies that it's still as secure as the download channel used for getting the files). Tomas _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
