[reportlab-users] Request MD5 for Report_Lab 1.20 & Win32 DLLs

Robin Becker robin at reportlab.com
Wed Aug 24 07:29:34 EDT 2005


Andy Robinson wrote:
.....
> 
> I am assuming that 
> (a) the purpose of the checksum is to
> certify against tampering AFTER it gets downloaded from
> ReportLab, and maybe put on mirror servers, distros or
> internal corporate shared drives; and
> (b) if someone could gain access to the server
> where the file lives in order to replace a certain download
> with a dodgy one, they would also have access to edit the
> source of the HTML page alongside it and put in their new MD5
> checksum.  
> 
> I'm not sure how one could ensure that MD5s are original
> 'from the time the distro was built', even if our server
> got hacked.
> 
> - Andy
.... John Lee thinks we need to 'sign' the certificate in some way. That 
effectively means encrypting with a trapdoor method which allows the validity of 
the signature to be checked using a key that's publically verifiable. The main 
problem is in the verification. John suggests webs of trust etc etc
-- 
Robin Becker


More information about the reportlab-users mailing list