On Wed, Sep 5, 2012 at 6:34 PM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > On Wed, 5 Sep 2012 16:49:34 -0430 > Andres Perera wrote: > >> On Wed, Sep 5, 2012 at 4:06 PM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: >> > On Wed, 5 Sep 2012 15:49:15 -0430 >> > Andres Perera wrote: >> > >> >> doesn't in any way justify >> >> downloading sha256 from more than one mirror from the same connection, >> >> kevin >> > >> > It does if a lower tier has been compromised and I never said from the >> > same connection. >> >> i don't think anybody is talking about such attacks. the subject has >> clearly been mitm the whole time, since it's by far the easier attack >> > > Surely that depends on the networks, if your using OpenBSD it's quite > likely the other end which is more likely mitm or compromised, which is > half my point for many reasons. I'll admit crap routers are almost > everywhere though. > > The ops mail > > "Is there any way to verify that distribution sets and packages that I > have downloaded have not been tampered with (e.g., by someone with > access to the mirror from which I downloaded them)?"
that's fine and dandy, but the ssl talk ultimately set the tone given there's no infrastructure in place, wondering about who would have the private keys is premature. most likely the developers would posses the keys, and *not* the mirror maintainers, when the roles don't overlap if that's enforced from the onset, the benefit you're left with is the guarantee that you're communicating with the party they claim to be
