Xfce 4.4 RC2 released!

Brian J. Tarricone bjt23 at cornell.edu
Mon Nov 6 10:18:39 CET 2006


Martti Kuparinen wrote:
> Would it be possible to show also SHA1 sums for each .tar.bz2 file (in addition
> to MD5)? In other words, I'd like to see
> http://www.xfce.org/archive/xfce-4.3.99.2/src/xfce-4.3.99.2.sha1

The MD5 sums are intended as a download integrity check, not as a
security measure.  It's highly improbable that random chance could
corrupt your download and generate a collision with the correct hash.

	-brian

P.S. Hosting a MD5/SHA1 file on the same server as the tarballs makes it
useless as a security check; if the attacker can modify a tarball,
he/she can modify the MD5/SHA1 file as well.  The only real way to
ensure integrity (as a security measure) would be to digitally sign the
tarballs.  And even then, you have to trust that the signing key has not
been compromised and that the public key you use for verification really
corresponds to someone 'authorised' to make the release.





More information about the Xfce4-dev mailing list