Bittorrent secure?

[Chuck Swiger]

Hanspeter Roth wrote:
>   On Jan 25 at 14:48, Chuck Swiger spoke:
>> You need to have an external source of information which specifies a 
>> checksum or MD5 hash to confirm that the file has not been tampered with.  
> 
> That to say I should download CHECKSUM.MD5 from one of the public
> FTP-servers by hand and do the MD5 checks myself, right?

Yes indeed, or use the files in a context like the ports tree, which does this 
sort of checking for you.

>> If you trust the Torrent tracker file, then BitTorrent has this part 
>> built-in.  Otherwise, you would use something like the distinfo files in 
>> /usr/ports to help confirm the validity of files.
> 
> BitTorrent doesn't get some public checksums from some public
> servers transparently, does it?

Each file distributed by BitTorrent has a tracker and a seed .torrent which 
describes the checksums of the file (and it's parts), and manages the list of 
hosts offering the file.

>> On the other hand, Torrent doesn't do any worse than FTP or HTTP.
>  
> The FTP-servers should be more or less official and should contain
> more or less uncompromised data.

A lot of people thought that about ftp.gnu.org, or ftp.sendmail.org, or other 
well-known FTP sources which have been compromised.

> Hosts that offer BitTorrent probably are less official.

True, but you are not relying on them to confirm the downloaded data is 
correct, you are relying on the seed host and it's .torrent file.

-- 
-Chuck