Daryle Walker wrote:
I dislike the idea of executable-wrapped archives in general. You only have a creator's word that the file isn't actually a Trojan and/or infected with a virus. (Even a trustworthy creator may get overridden by a cracker's altered archives.)
That is true regardless of type of archive. The source archives are just as susceptible to tampering as the executable ones. And such tampering has occurred in other open source distributed material.
This is late, and it seems that you guys agreed to an extractor-included version as an addition instead of a replacement. Maybe we should add a list of MD-5, or other checksum, values for each of our archives.
Checksums provide only a thin veil of assurance. There is no security improvement as the checksum is susceptible to the same tampering. If you really want secure assurance you would need some form of trusted public key signature on the archives. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org - grafik/redshift-software.com - 102708583/icq