> Bear Giles <[EMAIL PROTECTED]> wrote: > > But you're biting your own tail here. Where do you get that "good" > > checksum? > > Any place which is acceptable to the package maintainer -- perhaps out > of a pgp signed archive.
Remember, the start of this discussion was an (FTP) mirroring program that got around encryption export laws by importing software from a site in South Africa. The problem isn't in *producing* a package, it's in *acquiring* that package later. What happens if someone successfully attacks a site immediately before you mirror it? MD5 checksums aren't adequate, since the attacker can forge new ones. Cryptographically signed checksums don't help, since the software (at time of export) can't include the software to verify them. Downloading PGP from the ZA site won't help because you can't verify *its* checksum. Even if you hardcode in the signature for a known good copy of PGP, download and verify it, then use it to download and verify the latest version, *how do you know your original package was valid*?! Maybe the copy you downloaded actually downloads from blackhat.com.za. > Bootstrapping is hard -- best you can do for the general case is compare > notes after you've gotten a secure system up. And that, it seems, is exactly the "problem" that this program seeks to "fix." Bear Giles [EMAIL PROTECTED]