Proposed Cross-Reference Md5sum Project
In order to prevent malicious hackers compromising a huge mirror site (even main site itself), or whatnot, and tampering with rpms/binaries and altering the md5sums posted the site, I propose the following:
Individual contact with the creators to find out the correct md5sum, before public release.
Contact a series of host sites that are willing to host a text file of md5sums (and update it). Can be international, etc..
Then, a program that contacts all the host sites and cross-checks them with eachother, and lists non-matches, % correct matches, which ones are different, etc etc... You simply tell the program which rpm or binary you wish to check, and it goes out and cross-references them all.
This would make it very difficult for those wishing to alter the publically posted md5sums and binaries on a single host site.
It would be a fairly large list, even split up into different lists for faster access if it grows. It would contain all the most popular and important program binary md5sums..
Sites that are down, etc are ignored and left out... all the technical stuff is pretty simple.. I'm willing to program and maintain it if there's enough interest.
What do you people think?
Last edited by lrt2003; 05-08-2004 at 10:23 AM.