mirror of
				https://git.tukaani.org/xz.git
				synced 2025-10-26 02:52:56 +00:00 
			
		
		
		
	The release files are signed but verifying the signatures cannot catch certain types of attacks: 1. A malicious maintainer could make more than one variant of a package. One could be for general distribution. Another with malicious content could be targeted to specific users, for example, distributing the malicious version on a mirror controlled by the attacker. 2. If the signing key of an honest maintainer was compromised without being detected, a similar situation as described above could occur. SHA256SUMS could be put on the project website but having it in the Git repository makes it obvious that old lines aren't modified when the file is updated. Hashes of uncompressed files are included too. This way tarballs can be recompressed and the hashes can still be verified.
		
			
				
	
	
		
			9 lines
		
	
	
		
			176 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			9 lines
		
	
	
		
			176 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| .gitattributes export-ignore
 | |
| .gitignore export-ignore
 | |
| 
 | |
| /.codespellrc export-ignore
 | |
| /.github export-ignore
 | |
| 
 | |
| /build-aux/ci_build.bash export-ignore
 | |
| /doc/SHA256SUMS export-ignore
 |