On Thursday 23 June 2005 11:17, Michael Vang wrote: > > My only issue with the FTP server has been the lack of MD5 sums to > verify the download... Which is why when I set up the GIMPS mirror on > mersenneforum.org I included MD5 sums...
Umm. MD5 (and SHA-1) are looking dodgy these days - there are tools for making files with matching hashes, and executable binaries tend to have enough non-critical content (text strings etc) embedded in them to make a matched hash rather less secure than you would think it should be. OK, better than CRC32, but far from a secure safeguard. SHA-256 & SHA-512 are being talked about as possible replacements. Maybe they might survive realistic attacks for few years. My principal safeguard against possible compromise of downloaded mprime executables is to run them chrooted, as a special user with a small disk quota and very, very few priveleges. BTW I didn't intend to imply that anyone else _should_ be using wget - just that, if wget works for me, FTP must be working at some level. Most people probably don't need a mirror of the master server download directory, indeed many people would probably resent the wastage of bandwidth. Regards Brian Beesley _______________________________________________ Prime mailing list [email protected] http://hogranch.com/mailman/listinfo/prime
