[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re: installation of 2016-01-24/pspp-090+20160124-snapshot-64bits-set
|
From: |
John Darrington |
|
Subject: |
Re: Re: installation of 2016-01-24/pspp-090+20160124-snapshot-64bits-setup.exe |
|
Date: |
Sat, 30 Jan 2016 09:33:21 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Jan 29, 2016 at 10:12:28PM +0100, Harry Thijssen wrote:
Have a look at
http://sourceforge.net/p/forge/documentation/Verifying%20downloaded%20files/
You can copy/paste the checksums from sourceforge.
In the current versions of the MSWindows package build these checksums are
not included as files, I will include the checksum files for the .exe
files in upcoming builds for easier checksum checking.
Ths checksums are fine for protection against accidental corruption during
download - the chances of a corrupt file having the same checksum is
astronomically small.
However they are little use against somebody who is deliberately being
malicious.
If sourceforge got compromised, then the bad guy could upload a virus infected
binary and a checksum to match. So everything would look fine.
A PGP signature would offer better security in this case, provided that you
also:
1. Keep the private key secure!!
2. Have the corresponding public key signed and verified by as many trusted
sources
as possible.
J'
--
Avoid eavesdropping. Send strong encryted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
signature.asc
Description: Digital signature