<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace">All --<br><br>IMO ( and ITO of other SBo Customers ), The MD5SUM= field in the .info file is to verify that the DOWNLOAD= files that you downloaded the same files that the Maintainer downloaded.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">Nothing more than that.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">It is not for security -- the SBo Maintainer cannot guarantee that the source files are secure -- that is the Upstream Developer's duty.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">IOW, What Habs said.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">-- kjh<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 24, 2018 at 6:03 AM, <span dir="ltr"><<a href="mailto:thyr@airmail.cc" target="_blank">thyr@airmail.cc</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
However, you absolutely cannot assume that because the MD5 sum matches that the file is in any way "safe" or was not tampered with /before/ the maintainer got to it.<br>
</blockquote>
<br></span>
Can I assume that because MD5 sum matches that the file was not tampered after the maintainer got it? I believe this was the original scope of the thread in the first place.<br>
<br>
Quoting <a href="https://en.wikipedia.org/wiki/MD5#Preimage_vulnerability" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/<wbr>MD5#Preimage_vulnerability</a><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In April 2009, a preimage attack against MD5 was published that breaks MD5's preimage resistance. This attack is only theoretical, ...<br>
</blockquote>
<br>
It was theoretical in 2009. The question is whether or not it was made practical in the past nine years? There are two possible outcomes. One: it was made practical and is not yet published. Two: it is still theoretical. Do you really want to wait until it becomes practical *and* published?<div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
SlackBuilds-users mailing list<br>
<a href="mailto:SlackBuilds-users@slackbuilds.org" target="_blank">SlackBuilds-users@slackbuilds.<wbr>org</a><br>
<a href="https://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users" rel="noreferrer" target="_blank">https://lists.slackbuilds.org/<wbr>mailman/listinfo/slackbuilds-u<wbr>sers</a><br>
Archives - <a href="https://lists.slackbuilds.org/pipermail/slackbuilds-users/" rel="noreferrer" target="_blank">https://lists.slackbuilds.org/<wbr>pipermail/slackbuilds-users/</a><br>
FAQ - <a href="https://slackbuilds.org/faq/" rel="noreferrer" target="_blank">https://slackbuilds.org/faq/</a><br>
<br>
</div></div></blockquote></div><br></div>