[Interest] sha256 checksums for Qt downloads

Thiago Macieira thiago.macieira at intel.com
Thu Feb 19 17:44:37 CET 2015


On Thursday 19 February 2015 16:25:19 Jérôme Pinguet wrote:
> Here is the problem: someone could modify the files (introduce a
> backdoor in Qt binaries for instance) and those modified files would
> still verify well with md5. Then it's not that difficult (particularly
> with http) to do a man in the middle attack and someone trying to
> download Qt binaries would in fact download a thir party binary with
> malware, trojans or backdoors included.
> Up to this day, as long as the cryptographic community is aware, doing
> the same with sha2 checksums is impossible .

If you want this kind of security, build from Git after verifying the 
integrity of the history.

Git history is cryptographically secure. The one element we don't use is GPG-
signing the release.
-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center




More information about the Interest mailing list