8.04 md5sums
Florin Andrei
florin at andrei.myip.org
Thu Apr 24 17:43:54 UTC 2008
Mario Vukelic wrote:
>
> If someone has compromised the iso on the server, he will also have
> uploaded the accompanying md5sum
Yes, that's straight from the Captain Obvious textbook, but in the field
of security, the "all or nothing" way of thinking does not get you too
far. At some point, you have to trust something.
Are the MD5 sums that I posted on the list trustworthy? Not so much.
Are the MD5 sums on the mirrors more trustworthy than mine? Usually yes.
Are they 100% trustworthy? No.
Are there any MD5 sums more trustworthy than those on the mirrors?
(e.g., MD5 sums on the ubuntu.com website)
If yes, use them.
If not, you have to trust the MD5 sums on the mirrors.
If there are any MD5 sums on ubuntu.com, are _those_ 100% trustworthy? No.
So you have to stop somewhere and accept that 100% certainty simply does
not exist. Just make the choice that is best for the current situation.
In most cases for the average user, MD5 sums files from a mirror hosted
by a large company or university should be trustworthy enough. If you
compare them with MD5s from other mirrors, hosted by independent
entities, and they match, they become more trustworthy. (and yes,
they're not 100% safe even then - obligatory note to stop nitpicking)
--
Florin Andrei
http://florin.myip.org/
More information about the ubuntu-users
mailing list