Subject: Re: little hacking project: bulk build checksums
To: Lasse Kliemann <lasse-list-tech-pkg-netbsd-2004@plastictree.net>
From: Gavan Fantom <gavan@coolfactor.org>
List: tech-pkg
Date: 01/25/2005 13:54:40
On Sat, 22 Jan 2005, Lasse Kliemann wrote:

>> Verify (manually) that the binary pkgs are not modified.
>
> Modified by whom?
>
> He who can modify the binary packages can also modify the checksums, unless you
> take extra precautions via file permissions and ownerships. But then, you can
> protect the binary packages against modification from the start.

While that's the most talked about scenario nowadays, I've found these 
(unsigned) checksums extremely useful for proving that a problem 
installing NetBSD was in fact down to data corruption.

The person doing the installation didn't believe me that there was a 
problem with the ISO image until I had him actually verify the checksum.

So I'd say, even without digital signatures, checksum files *are* useful.

-- 
Gillette - the best a man can forget