[tex-live] hosting inst image
f.rougon at free.fr
Sat Mar 3 11:23:34 CET 2007
Reinhard Kotucha <reinhard.kotucha at web.de> wrote:
> If BT provides its own facilities to check for authenticity and
> completeness md5sum is probably not needed.
I disagree. Who controls BT? Not any member of tug.org, AFAIK.
Therefore, I trust tug.org to provide a valid checksum, but not BT.
To make it clear, would you feel safe downloading the ISO image from
some obscure dictatorship's government website, with no means to check
its authenticity? I wouldn't. It may be that BT people don't have bad
intentions. Frankly, I don't know; I've never checked, not even used
their protocol. But even then, they could have been cracked and not be
aware of it. Since the authoritative source for TL is tug.org, the best
way not to degrade security from this point on is to publish checksums
[ Even better would be to have them signed by an OpenPGP key from Karl
(e.g., with GnuPG), which would be "transitively signed" by your own
key, a key being signed only when you have made your best to ensure
the key belongs to the person whose name and email address(es) are
listed on it, which normally means meeting the person in real life and
checking her ID document. cf. the "web of trust". ]
More information about the tex-live