zlacker

[return to "Tiny Core Linux: a 23 MB Linux distro with graphical desktop"]
1. hypeat+m5[view] [source] 2025-12-06 15:07:49
>>LorenD+(OP)
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?
◧◩
2. firest+Y5[view] [source] 2025-12-06 15:13:35
>>hypeat+m5
Not foolproof. Could compute MD5 or SHA256 after downloading.
◧◩◪
3. hypeat+s7[view] [source] 2025-12-06 15:23:26
>>firest+Y5
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

◧◩◪◨
4. maccar+18[view] [source] 2025-12-06 15:27:53
>>hypeat+s7
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.
◧◩◪◨⬒
5. hypeat+n8[view] [source] 2025-12-06 15:30:44
>>maccar+18
An integrity check is better than nothing, but yes it says nothing about its authenticity.
◧◩◪◨⬒⬓
6. embedd+I9[view] [source] 2025-12-06 15:39:08
>>hypeat+n8
An integrity check where both what you're checking and the hash you're checking against is literally not better than nothing if you're trying to prevent downloading compromised software. It'd flag corrupted downloads at least, so that's cool, but for security purposes the hash for a artifact has to be served OOB.
◧◩◪◨⬒⬓⬔
7. uecker+Ze[view] [source] 2025-12-06 16:20:48
>>embedd+I9
It is better than nothing if you note it down. You can compare it later if somebody / or you was compromised to see whether you had the same download as everyone else.
◧◩◪◨⬒⬓⬔⧯
8. maccar+4n[view] [source] 2025-12-06 17:26:42
>>uecker+Ze
Sorry but this is nonsense. It’s better than nothing if you proactively log the hashes before you need them, but it’s actively harmful for anyone wi downloads it after it’s compromised.
[go to top]