Comment 25 for bug 1767402
Revision history for this message
| Gianfranco Costamagna (costamagnagianfranco) wrote | #25 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
>BTW: How do you verify that the hash sum is the correct one?
>If you just download the file from somewhere in the internet and take that hash sum to verify the >same file, it's not of much use, from a security point of view. It just proofs that it is the very >same file again, but not, that it is the original file. Smells a little bit like snakeoil security.
I take the hashes from the https secured upstream download repository, and verify them with md5 sha256 after downloading in https the ext-pack itself.
the hash validated by me, is then hard-coded in the postinst file, and signed with my personal GPG key, so it is not tamperable anymore.
you can see hashes by yourself if you want.
https:/
G.