Comment Re:Seems (Score 1) 486
Perhaps the parent needs to be modded up...
Authentication (IIRC) is the term used when describing the need to assure the source of any given package (e.g. via PGP signature, etc.).
This means that the MD5 sum is signed by an entity verifiable by a certificate of authentication that is difficult or near-impossible to spoof (e.g. asymmetrical public/private keypair, etc.).
So, in the event that an intruder manipulates code/binaries/checksums, it is unlikely they will will be able to manipulate the certificate of authentication.
It is important to note that if the *only* place you store the cert (i.e. PGP key, etc.) is in a file in the same directory, or on a web page on a local server, you're asking to have that spoofed as well. This is why (I think) you're supposed to advertise your public key as much as possible (to a reasonable extent, I'm sure) -- to provide verifiability.
Authentication (IIRC) is the term used when describing the need to assure the source of any given package (e.g. via PGP signature, etc.).
This means that the MD5 sum is signed by an entity verifiable by a certificate of authentication that is difficult or near-impossible to spoof (e.g. asymmetrical public/private keypair, etc.).
So, in the event that an intruder manipulates code/binaries/checksums, it is unlikely they will will be able to manipulate the certificate of authentication.
It is important to note that if the *only* place you store the cert (i.e. PGP key, etc.) is in a file in the same directory, or on a web page on a local server, you're asking to have that spoofed as well. This is why (I think) you're supposed to advertise your public key as much as possible (to a reasonable extent, I'm sure) -- to provide verifiability.
