Re: All the md5 hashes in every single update message sent to this list

[ben () b1towel com]

What is the advantage of having all the hashes posted to the list over
doing something like having a digitally signed text file next to the
update on their servers and occasionally publish the pubkey to the list? I
feel like that would provide the same level of confidence the package was
unaltered as just reading the hashes from the list.

> They do this so that people who are manually installing or updating
> software
> can also verify that the package they are installing is, in fact, the
> exact
> same one that the software packager released -- this reduces (but not
> eliminates) the chance that someone malicious may have been able to slip
> something into the update package unnoticed by the installer or the
> packager.
>
> On Fri, Oct 15, 2010 at 11:22 PM, B1towel <ben () b1towel com> wrote:
>
> > What is the purpose of all the patch notification emails that when a
> > security vulnerability is fixed the people who send out the notification
> > email include a 5 mile long list of md5 hashes for every single package
> > and
> > all dependancies for the package that was updated? I feel that
> > information
> > does not need to be in the notification that the latest version fixed a
> > security vulnerability, and to me it just gets in the way of reading the
> > occasionally useful content this list has to offer.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/