On Thu, 19 Apr 2018, Always Learning wrote:
On Thu, 2018-04-19 at 09:40 +0100, John Hodrien wrote:
On Wed, April 18, 2018 8:36 pm, Always Learning wrote:
I have an aversion to using anything that comes from unknown sources, as used by Torrent.
Can we also challenge this "torrents are untrustworthy" attitude.
Having, successfully so far, resisted/repelled several devious attacks from the Russians, I am keen to maintain a clean, and thus secure, system as possible.
You can be given an ISO from a shady character under a railway bridge,
I'd throw it away unused. Do not want the associated risks.
This is where you're making a mistake. If you're verifying checksums, you're not taking an additional risk, beyond the risk of a hash collision. If you're worried about sha256 hash collisions, I think you're worrying about the wrong things.
The important bit is getting the hash from a secure source, and bothering the check it.
jh