henman wrote: > Jason, > > > > snipped my and some of Jason's text for brevity: > > >I am merely pointing out that your claim the software is not useable > by you > >because of this limitation is not true. > > Its usability is not the question, but the possibility of > "man-in-the-middle" forgeries. > Sure people can use anything, if they don't care about their system and > data. > If your binary is forged, whatever place from where to grab the hash (usually the same site) may be forged too. gpg signatures are harder to forge, but to verify it's a reliable signer, you need a good certificate chain... which you will only be on the very same site.
Checksums are useful. When the files i download provide them, i usually check them. Basically because i want to make sure the file wasn't corrupted in downloading. It'd be very difficult to find a Linux distro whose iso doens't provide a way to verify the file. They're big files, and an error is not so uncommon. If you ask for help about problems, the first thing they'll ask you is: Have you verified the md5? But if there were somebody in the middle trying to inject a trojan in my download, he'd probably suceed. You should think what do you want. Just check for integrity? Compressed files, like Zips don't use to show provide verification hashes, as they have a CRC builtin. MSI's probably have too. On the other hand, if you want to be sure nobody could have altered your files, why are you using binaries? You need to download the sources and built the files yourself. Obviously, without ever applying an update you haven't verified first.. _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
