[reportlab-users] Request MD5 for Report_Lab 1.20 & Win32 DLLs
Andy Robinson
andy at reportlab.com
Wed Aug 24 05:43:07 EDT 2005
> Since the zip and text are displayed/stored next to each other there
> seems any modification of the zip could be accompanied by a change to
> the MD5 text file.
This is a tricky problem and it would be nice to get other
people's opinions of what the MD5 is certifying. (I won't
discuss how checksums were built on the page on this list
as that's too much internal security detail)
I am assuming that
(a) the purpose of the checksum is to
certify against tampering AFTER it gets downloaded from
ReportLab, and maybe put on mirror servers, distros or
internal corporate shared drives; and
(b) if someone could gain access to the server
where the file lives in order to replace a certain download
with a dodgy one, they would also have access to edit the
source of the HTML page alongside it and put in their new MD5
checksum.
I'm not sure how one could ensure that MD5s are original
'from the time the distro was built', even if our server
got hacked.
- Andy
More information about the reportlab-users
mailing list