[Pharo-dev] [ANN] sha256 checksum for Pharo6 downloads
marcus.denker at inria.fr
Wed Oct 25 04:48:08 EDT 2017
>>> Would it not be cleaner if the signature was next to the resource ? Like
>>> Or is that the next step ?
>> Already there. But a signature like that is not a guarantee if it is downloaded from the same server… especially of that server does not
>> use SSL…
>> The “stack vector” that a checksum protects against is the compromise of a download server, especially untrusted mirrors. For that,
>> the checksum needs to come from some other (trusted) source. E.g. normally it is inlined on the download website.
>> But of course these things are never 100% guarantees, they just make it harder to do bad things.
> Ah, OK, I understand, I just think that a shorter/simpler/easier-to-remember URL for the signature would be better.
I will put them on pharo.org <http://pharo.org/> later, too (in a dedicated directory). And link them from the download page.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pharo-dev