Ray_Net wrote:
Bill Davidsen wrote, On 24/10/2012 22:33:
David E. Ross wrote:
On 10/14/12 3:09 PM, Robert Kaiser wrote:
David E. Ross schrieb:
I go to the FTP server so that I can also download the related SHA1
checksum.
FYI, if you use the SeaMonkey-internal update mechanism, you get both
the advantages of using as-local-as-possible mirrors *and* verification
with a checksum that is not just SHA-1 but SHA-512 - and the checksum
and other info about the update is coming via an encrypted connection
(SSL) that is only allowed to be signed by certain CAs, so that the
delivery mechanism is *really* secure.
Robert Kaiser
Having to maintain two PCs, I prefer to download the update and then
install from my hard drive. For incremental updates via .mar files, I
developed a .bat file script to do this.
What I really want is to download once and install twice. The internal
update capability would download twice to install twice.
I recently obtained an application to compute and verify SHA512
checksums. While Thunderbird updates on the FTP servers have SHA512
checksums as well as MD5 and SHA1, SeaMonkey updates on the FTP servers
have only MD5 and SHA1.
A short word about CRC methods: sources of error are transmission
error and deliberate tampering. the reason people moved away from MD5
was that it is in some cases actually possible to modify a binary and
fudge it to match an MD5sum. The sha1 is more resistant to deliberate
tampering, but since you are getting the binary and CRC values from
the same machine, if someone could hack the binary they could hack the
CRC as well, giving no protection against tampering.
The sha512 is better than sha1 and sha256, but there is a paper out
showing that sha224 is actually more resistant to tampering but less
for random errors. I leave it to you to find and read that topic if
you care, the short answer is that the MD5 is fine as a check for
random damage in most cases, and getting the CRC (of any kind) from
the same site as the binary is a risk. If you want secure, pull the
sha512 via ftp from the master server, then download and check the
actual binary from somewhere fast.
I am happy with the MD5 method to check my download.
I use it to check for :
- SeaMonkey Setup 2.12.1.exe
- seamonkey-2.12.1.fr.langpack.xpi
but i did not find the MD5 values for:
- dictionnaires_francais-4.6-fx+tb+sm.xpi
- adblock_plus-2.1.2-sm+an+fx+tb.xpi
- firebug-1.10.3-fx.xpi
What percentage of people using the Internet actually do some sort of
file check like this? Less than 1 %? Who cares?
You know, "paranoia strikes deep". Sorry, I'm an an old dude thinking
of 60s and 70s music. But, really now, stop obsessing. Get a life. Or,
"into your heart it will creep." Relax and enjoy. Sure, be careful
but, for God's sake, RELAX!!!
--
Ed Mullen
http://edmullen.net/
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey
