Follow

Are checksums really necessary for files when downloading over TLS? Can corruption still happen? If so, how?

@makeworld if an admin screws up adding the file (sig and file don’t match) due to malicious or incompetence, or scripted update fails, or hacker takes over the site, then yes. Independently hosted hashes are essential. See *BSD hashes posted seperatelt at release time or browsers using hashes to validate scripts and images all hosted externally.

Trust But Verify.

@dch signatures, independently hosted hashes, or pre downloaded hashes definitely seem useful to me yeah. I guess I just wondering about when none of those conditions are met, like autogenerated hashes on a GitHub Release.

Sign in to participate in the conversation
Sunbeam City 🌻

Sunbeam City is a anticapitalist, antifascist solarpunk instance that is run collectively.