One short-term way of alleviating this problem could be by publishing (and signing) both an MD5 and an SHA-1 checksum of the archive(s) in question. Even if an ambitious attacker managed to find a way to compromise an archive such that its MD5 or SHA-1 checksum stayed the same while the modified code still made sense, finding such a compromise that kept both hashes identical would be that much more difficult. (For extra credit, use two hash functions that are not as closely related as MD5 and SHA-1, or add a third one.)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds