I downloaded the code from another mirror and everything worked correctly. I notified the mirror site of the inconsistency, and carried on. However, I often wonder how much we shortcut our work, and fail to check that vital information.
Here is a gentle reminder. If the code has an MD5, SHA, and cryptographic signature, please take the extra 5 minutes to check all three. It will verify your downloads, are safe.
Also keep in mind that if you don't, and make a war file that contains these potentially infected sources, you are propagating the problem.
2 comments :
I wonder, why is easy to infect a file, but is hard to change the MD5 code you are seeing in the page?
I had a discussion at lunch with a colleague about this exact issue.
Usually the files and signature are located in different areas and/or servers. This is not always the case, but can add a little level of security.
The better solution is to check the cryptographic signature with the armor files which often accompany the files and are verified using the public key from the signer.
In my case, the MD5 check was sufficient to tip me off, but since the SHA and ASC files were available I would have checked them anyway.
I think I will consider doing the same thing for all the code I publish since it is a good practice.
Thanks for the thoughtful comment.
Post a Comment