Troy Benjegerdes [ARCHIVE] on Nostr: 📅 Original date posted:2014-01-03 📝 Original message:On Fri, Jan 03, 2014 at ...
📅 Original date posted:2014-01-03
📝 Original message:On Fri, Jan 03, 2014 at 07:21:17PM +0100, Jorge Timón wrote:
> On 1/3/14, Troy Benjegerdes <hozer at hozed.org> wrote:
> > 'make' should check the hash.
>
> An attacker could replace that part of the makefile.
> Anyway, I think this is more oriented for compiled binaries, not for
> people downloading the sources. I assume most of that people just use
> git.
>
> > The binary should check it's own hash.
>
> I'm afraid this is not possible.
>
> > The operating system should check the hash.
>
> There's package management systems like apt-secure that do exactly this.
Yes. Promoting operating systems (and signed .deb packages) is a far better
thing to do than worrying about TLS on the bitcoin.org server.
📝 Original message:On Fri, Jan 03, 2014 at 07:21:17PM +0100, Jorge Timón wrote:
> On 1/3/14, Troy Benjegerdes <hozer at hozed.org> wrote:
> > 'make' should check the hash.
>
> An attacker could replace that part of the makefile.
> Anyway, I think this is more oriented for compiled binaries, not for
> people downloading the sources. I assume most of that people just use
> git.
>
> > The binary should check it's own hash.
>
> I'm afraid this is not possible.
>
> > The operating system should check the hash.
>
> There's package management systems like apt-secure that do exactly this.
Yes. Promoting operating systems (and signed .deb packages) is a far better
thing to do than worrying about TLS on the bitcoin.org server.