On Sun, 2010-08-22 at 19:03 -0500, Bruce Dubbs wrote: > bendeguz wrote: > > > 2. This means it could be possible for some package to have > > false checksums on the whole internet? > > So you can't be absolutely sure, that you have downloaded a package > > in the form the maintainer built it? > > It's possible, but quite unlikely. It would be discovered and all over > the net pretty quickly. There are a lot of packages that have optional > crypto signatures too. See e.g. openssl.
More than just openssl - for almost everything in LFS itself, the download sites provide GPG signatures, and it seems to be the norm for anything hosted on kernel.org or gnu.org. When such signatures are available, I make a point of checking them. Of course, GPG signatures don't mean anything either, if you don't make some effort at verifying the keys they're signed with. It's not really practical to verify them face-to-face with their owners, but I usually throw the key ID into Google, and check that I get some hits on relevant mailing lists. If there are messages from the developers citing that as the correct key, it's probably good (assuming their server isn't hopelessly compromised and the mailing list archives tampered with). Simon.
signature.asc
Description: This is a digitally signed message part
-- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
