On Thu, 19 Apr 2018, Always Learning wrote: > On Thu, 2018-04-19 at 09:40 +0100, John Hodrien wrote: > >>> On Wed, April 18, 2018 8:36 pm, Always Learning wrote: > >>>> I have an aversion to using anything that comes from unknown sources, as >>>> used by Torrent. > >> Can we also challenge this "torrents are untrustworthy" attitude. > > Having, successfully so far, resisted/repelled several devious attacks from > the Russians, I am keen to maintain a clean, and thus secure, system as > possible. > >> You can be given an ISO from a shady character under a railway bridge, > > I'd throw it away unused. Do not want the associated risks. This is where you're making a mistake. If you're verifying checksums, you're not taking an additional risk, beyond the risk of a hash collision. If you're worried about sha256 hash collisions, I think you're worrying about the wrong things. The important bit is getting the hash from a secure source, and bothering the check it. jh