Rget to automatically get and check software


So I read this article today.

Do you guys think that this should be used always and if it will find itself in every distro or?

I can get behind that idea -

“When someone publishes a file on the internet that they wish to be verified by rget, they have to add the file’s hash and URL to the public log so that, in future, rget can verify the legitimacy of downloaded copies of said file from the given URL.”

I always thought having the md5 / sha hash on the same page as the download seems a bit redundant, as if a bad actor got to the page to tamper witht he download, surely they would replace the sum as well?

but then again, the single point of failure is just moved, because the hacker would just need to compromise the rget upload, and upload the bad file with it’s new hash.

still, another layer sounds okay, and not too difficult for a publisher to implement, if they chose to

While I never really thought that the Md5 checksum really meant anything anyway (As any bad actor can make anything happen if you think about it) I think it would be a good idea just to speed it up anyway. I think they should offer things like this as standard as I would like to see this happen in Debian (for Kali Linux)

To be honest with you I have been working with VMs in a sandbox so the machines don’t live that long anyway. but if I had a static machine this would be a nice addition.

1 Like

Checksums are there usually to check for file corruption, not so much to protect against bad actors.

1 Like