Re: Emacs 22.1 released

Re: Emacs 22.1 released

[Doug McLaren]

In article <mailman.1548.1180925943.32220.info-gnu-emacs@gnu.org> you write:

| GNU Emacs 22.1 has been released.  It is available on the GNU ftp
| sites at ftp.gnu.org/gnu/emacs/ and its mirrors (see
| http://www.gnu.org/order/ftp.html).
| 
| The MD5 check-sum is the following:
| 
|     6949df37caec2d7a2e0eee3f1b422726  emacs-22.1.tar.gz

Might want to start giving other check sums in addition to MD5
checksums -- MD5 is no longer cryptographically secure.

(Or not give any checksums at all, I guess.)

Perhaps you should include a GPG signed key of the file in addition to
the MD5 ?

Having a MD5 that matches is no longer a reasonable guarantee that
your file has not been corrupted, and so it gives a false sense of
security.  Sure, it'll protect you against a file corrupted by a bad
disk, or a truncated file (but the checksum in gzip will do that too)
but it won't protect you against somebody hacking up a version, making
the md5sum match, and then putting it up on a mirror somewhere.

emacs isn't run setuid or anything like that (except maybe
emacsclient, if anybody uses it) but there's still a security risk if
it's compromised.

-- 
Doug McLaren, dougmc@frenzied.us
"What luck for rulers that men do not think." --Adolf Hitler