grarpamp wrote this message on Wed, Dec 30, 2020 at 00:55 -0500: > > signatures of the magnet links > > Signing torrent.asc, with stronger or even same hash as BT > protocol, still serve purpose of authenticate torrent file back > to a signer to the degree therein, caveat their platform security, > caveat sha-1 inside torrent still being abuseable by third party, > caveat etc. With no torrent.asc there is nothing directly saying > the torrent file / infohash itself went through freebsd project. > Whether torrent or git or else, there can be useable scope > and case for such "stronger over weaker" constructions. There is already HTTPS to protect the "authenticity" of the magnet link. Yes, someone could vandalize the wiki page but I'm now subscribed and will notice it... Also, magnet links are not officially supported the project.. I provide them because I think it's useful, and there are some people who request them... One of the large parts of security is that not everyone knows the in's and out's of security, so people who don't know, will have heard that SHA-1 is a cryptographic hash, and assume that something is secure when using it. It's difficult to educate people on these points.. > gpg offers better hash algos than sha-1 these days, > all users should look into configuring and using it, > same goes for abandoning the old [a]symmetric algos > and weaker keys, made with old weak /dev/random, etc. > > One cannot sign or verify anything without knowing gpg first :) snapaid was designed to make it even easier... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Thu Dec 31 2020 - 18:39:17 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC