On Fri, Nov 20, 2015 at 12:23 AM, Richard Heck <rgh...@lyx.org> wrote: > On 11/19/2015 06:15 PM, Uwe Stöhr wrote: >> Am 19.11.2015 um 01:12 schrieb Scott Kostyshak: >> >>> The benefit of signing files is so that whoever downloads the file can >>> be confident that it is the same file that you uploaded. Downloads and >>> uploads are not often corrupted as they were before, but a file is made >>> up of many 0's and 1's which are sent through wires. >> >> Thanks for the explanation. I understand that a download can go wrong >> but It is not clear to me what would happen that could harm anybody. >> if a download is broken you will most probably not be able to install >> LyX with this installer and we will get quickly complaints by users. >> What else could happen? > > The worry is not that the download goes wrong, but that someone manages > somehow to put a virus into your installer. This could happen in a > number of different ways, for example, via a man-in-the-middle attack. > Or someone could hack into your Sourceforge account and replace the > file. It's happened. > This. Also providing a checksum is a *very* low effort requirement, and it will take very little time to compute the hash of a given file using your favorite checksum utility, like Hashtab on Windows and Mac OS X or GtkHash on Linux. This is easier done than said.
PGP signatures on the other hand are a bit more work to understand conceptually and set up in practice, although as Scott mentions it's a 5 min job with proper guidance. The cryptographic signature is a step above simple checksums in ascertaining both the origin and integrity of the file: *you* are the only one holding the private key, and a file signed by you can be verified by *anyone* using your public key. Cheers, Liviu > If you send Scott and MD5 sum (and me, actually), then we can be > confident that the file has not been altered. So our signature means > something. > > Richard > -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library
