[Pharo-dev] [ANN] sha256 checksum for Pharo6 downloads

Marcus Denker marcus.denker at inria.fr
Wed Oct 25 04:48:08 EDT 2017


>> 
>>> Would it not be cleaner if the signature was next to the resource ? Like 
>>> 
>>> http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt
>>> 
>>> Or is that the next step ?
>>> 
>> 
>> Already there. But a signature like that is not a guarantee if it is downloaded from the same server… especially of that server does not
>> use SSL… 
>> 
>> The “stack vector” that a checksum protects against is the compromise of a download server, especially untrusted mirrors. For that, 
>> the checksum needs to come from some other (trusted) source. E.g. normally it is inlined on the download website.
>> 
>> But of course these things are never 100% guarantees, they just make it harder to do bad things.
> 
> Ah, OK, I understand, I just think that a shorter/simpler/easier-to-remember URL for the signature would be better.
> 
I will put them on pharo.org <http://pharo.org/> later, too (in a dedicated directory). And link them from the download page.

	Marcus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pharo.org/pipermail/pharo-dev_lists.pharo.org/attachments/20171025/01fd873c/attachment-0002.html>


More information about the Pharo-dev mailing list