checksums of packages

Simon Geard delgarde at ihug.co.nz
Mon Aug 23 00:55:03 PDT 2010


On Sun, 2010-08-22 at 19:03 -0500, Bruce Dubbs wrote:
> bendeguz wrote:
> 
> > 2. This means it could be possible for some package to have 
> > false checksums on the whole internet?
> > So you can't be absolutely sure, that you have downloaded a package
> > in the form the maintainer built it?
> 
> It's possible, but quite unlikely.  It would be discovered and all over 
> the net pretty quickly.  There are a lot of packages that have optional 
> crypto signatures too.  See e.g. openssl.

More than just openssl - for almost everything in LFS itself, the
download sites provide GPG signatures, and it seems to be the norm for
anything hosted on kernel.org or gnu.org. When such signatures are
available, I make a point of checking them.

Of course, GPG signatures don't mean anything either, if you don't make
some effort at verifying the keys they're signed with. It's not really
practical to verify them face-to-face with their owners, but I usually
throw the key ID into Google, and check that I get some hits on relevant
mailing lists. If there are messages from the developers citing that as
the correct key, it's probably good (assuming their server isn't
hopelessly compromised and the mailing list archives tampered with).

Simon.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxfromscratch.org/pipermail/blfs-support/attachments/20100823/e2b904d3/attachment.sig>


More information about the blfs-support mailing list