Re: [Full-disclosure] All the md5 hashes in every single update message sent to this list

[ben@xxxxxxxxxxx]

What is the advantage of having all the hashes posted to the list over
doing something like having a digitally signed text file next to the
update on their servers and occasionally publish the pubkey to the list? I
feel like that would provide the same level of confidence the package was
unaltered as just reading the hashes from the list.

> They do this so that people who are manually installing or updating
> software
> can also verify that the package they are installing is, in fact, the
> exact
> same one that the software packager released -- this reduces (but not
> eliminates) the chance that someone malicious may have been able to slip
> something into the update package unnoticed by the installer or the
> packager.
>
> On Fri, Oct 15, 2010 at 11:22 PM, B1towel <ben@xxxxxxxxxxx> wrote:
>
>> What is the purpose of all the patch notification emails that when a
>> security vulnerability is fixed the people who send out the notification
>> email include a 5 mile long list of md5 hashes for every single package
>> and
>> all dependancies for the package that was updated? I feel that
>> information
>> does not need to be in the notification that the latest version fixed a
>> security vulnerability, and to me it just gets in the way of reading the
>> occasionally useful content this list has to offer.
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/