> On 01 Nov 2016, at 00:35, Leonid Isaev <leonid.is...@jila.colorado.edu> wrote: > > Well, my mentality is that authenticating plain-text data is usually not > necessary because a user can always inspect it
You just can't reliably inspect plain text install data, unless you spend an awful lot of time on it. As already pointed out, it's just too easy to miss out small malicious changes. And even if you were able to spot those, most average users won't, and that's what policies are meant for: the average user. > Regarding checksums, how did a dev know that upstream sources are authentic? It's not about the upstream source to be authentic, it's about the upstream source reached your hard drive without further (malicious) modification. That saying, you can't expect a package maintainer to review all the code he uses (indirectly) in his package. If you use another (open source) project, that one could always be malicious. But we'll assume that case not likely (in general). It is much more likely that an attacker will try to break things you install (although I still assume that this is not often), than a group of attackers hiding malicious software in an (open source) project. The former can be easily locked out by checksums, the latter only by extensive code reviews. And even if they were done, you'd still have to trust the one who did the review. Since there's an easy fix for the former, let's use it. Since there is none for the latter, let's keep an eye on this. There's always trust to a certain degree. Cheers, Lukas
