[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora 8 torrents aren't signed!?



On Mon, Nov 12, 2007 at 03:14:32 +0100,
  Björn Persson <listor3 rombobeorn tdcpost se> wrote:
> söndagen den 11 november 2007 skrev Rahul Sundaram:
> > http://fedoraproject.org/verify is up. Would be added to the download
> > page soon.
> 
> That page says, quite correctly, that the downloaded file should be verified 
> for security and integrity. Then it says that if the file was downloaded via 
> Bitorrent it has already been verified. Is that really so? As far as I know 
> Bittorrent verifies for integrity but not for security – that is, it guards 
> against errors in the download process but not against a maliciously modified 
> torrent. Does Bittorrent verify some cryptographic signature that I don't 
> know about?

It guards against malicious peers. If you somehow bad a bad torrent file
that pointed you to the wrong place to start the download, you could get
a bad copy.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]