On 12/03/2016 10:37 PM, Maxwell Anselm via arch-general wrote: >> You mean the source files that you downloaded and then hashed... >> > Yes. If the source files are being modified via a MITM attack (which is > trivial if the host uses HTTP) the checksum is still useful. This sounds a lot like a "solution in search of a problem to fix" and blindly applying any "fix" where it is proveably meaningless really causes credibility (not to mention the Arch KISS philosophy) to take a beating. I'm all for validation and stronger hashes, but applying them in a circumstance where there is no way to validate against any original -- is just bat-shit crazy. -- David C. Rankin, J.D.,P.E.
