[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape'sdependence upon RSA down for the count!)

The idea here is to use multiple alternative channels for distributing
the checksums (newsgroups, mailing lists, telephone support lines,
fax-back service, e-mail, etc.), in addition to the ftp sites.

Also, since you guys use (relatively untrusted) mirror sites, you can
distribute the checksums on your official sites, so that people can
verify them from you directly, even if it's more practical for their
main download to be from a "local" mirror.

>  I've been thinking about this recently for obvious reasons.  My concern
>is that if someone can attack your download of netscape, they could also
>attack your download of the program that validates netscape.  Is there
>really any way out of this one?
>        --Jeff