[Interest] sha256 checksums for Qt downloads
Thiago Macieira
thiago.macieira at intel.com
Thu Feb 19 17:44:37 CET 2015
On Thursday 19 February 2015 16:25:19 Jérôme Pinguet wrote:
> Here is the problem: someone could modify the files (introduce a
> backdoor in Qt binaries for instance) and those modified files would
> still verify well with md5. Then it's not that difficult (particularly
> with http) to do a man in the middle attack and someone trying to
> download Qt binaries would in fact download a thir party binary with
> malware, trojans or backdoors included.
> Up to this day, as long as the cryptographic community is aware, doing
> the same with sha2 checksums is impossible .
If you want this kind of security, build from Git after verifying the
integrity of the history.
Git history is cryptographically secure. The one element we don't use is GPG-
signing the release.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Interest
mailing list