[Box Backup] Small suggestion

[Dennis Speekenbrink]

Ben Summers wrote:

> This is deliberate. Publishing an MD5 sum of a file on the same  
> server which serves that file (or a "connected" server) is a false  
> sense of security. If an attacker can modify the distribution file,  
> they can also modify the MD5 sum on the web page.

True, but I assumed the sourceforge download/mirror system was not 
connected in such a way to the Box Backup home page.  I guess that if 
the downloads offered by SourceForge are coming from the same server as 
the homepage, than my suggestion is only halfway safe (and therefore may 
do more harm than good).

> Only trust MD5 sums from independent people who have personally  
> verified the sources. And even then, look closely. Or better still,  
> verify the source yourself.

Right you are.  Even then, publishing MD5 sums on "disconnected" sites 
helps nothing against man-in-the-middle-attacks (if an intruder has 
taken over my local proxy/gateway/etc he/she could modify both the site 
as it appears to me, as well as the downloaded source), but it does give 
a little extra sanity check.
The thought just occurred to me as I was downloading the source, I've 
got no reason to suspect that anything is wrong with my local copy.
I'll verify the code myself for as far as my capabilities go, if only 
for educational purposes.

I'll also fire off an off-list mail to request the MD5 sum.

Thanks,
Dennis