bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs 22.1 released


From: Doug McLaren
Subject: Re: Emacs 22.1 released
Date: Tue, 5 Jun 2007 09:28:31 -0500

In article <address@hidden> you write:

| GNU Emacs 22.1 has been released.  It is available on the GNU ftp
| sites at ftp.gnu.org/gnu/emacs/ and its mirrors (see
| http://www.gnu.org/order/ftp.html).
| 
| The MD5 check-sum is the following:
| 
|     6949df37caec2d7a2e0eee3f1b422726  emacs-22.1.tar.gz

Might want to start giving other check sums in addition to MD5
checksums -- MD5 is no longer cryptographically secure.

(Or not give any checksums at all, I guess.)

Perhaps you should include a GPG signed key of the file in addition to
the MD5 ?

Having a MD5 that matches is no longer a reasonable guarantee that
your file has not been corrupted, and so it gives a false sense of
security.  Sure, it'll protect you against a file corrupted by a bad
disk, or a truncated file (but the checksum in gzip will do that too)
but it won't protect you against somebody hacking up a version, making
the md5sum match, and then putting it up on a mirror somewhere.

emacs isn't run setuid or anything like that (except maybe
emacsclient, if anybody uses it) but there's still a security risk if
it's compromised.

-- 
Doug McLaren, address@hidden
"What luck for rulers that men do not think." --Adolf Hitler




reply via email to

[Prev in Thread] Current Thread [Next in Thread]