On Tue, Mar 31, 2009 at 11:14:43AM -0300, Han-Wen Nienhuys wrote: > On Tue, Mar 31, 2009 at 10:33 AM, Graham Percival > <gra...@percival-music.ca> wrote: > > I wouldn't say that. It would provide notification of a botched > > download (if anybody checks it), or notification of a very > > sophisicated man-in-the-middle attack whereby somebody attempts to > > hack a system by modifying lilypond tarballs. In order to gain a > > local-user account. > > For the modifying tarballs version, the attacker could also change de > MD5s as the webpages and the binaries are hosted on the same server.
Hmm, good point. Now, I guess that we could start GPG-signing the md5s... but this is getting past the "idle speculation" phase and into "unrestrainedly ridiculous" phase. :) Cheers, - Graham _______________________________________________ lilypond-user mailing list lilypond-user@gnu.org http://lists.gnu.org/mailman/listinfo/lilypond-user