undefined | Better HN

0 pointsmfer6y ago0 comments

If a hosting server is compromised the hash and download can be changed with something nefarious. crypto signing/verification will catch that case. hash checking will not.

This is a legitimate case as it's happened to other projects in the past.

0 comments

groobongithub6y ago

The download comes from dl.google.com while the checksum is published on golang.org.

FWIW the macOS pkg you download is signed.

j / k navigate · click thread line to collapse

0 pointsmfer6y ago0 comments

If a hosting server is compromised the hash and download can be changed with something nefarious. crypto signing/verification will catch that case. hash checking will not.

This is a legitimate case as it's happened to other projects in the past.

0 comments

groobongithub6y ago

The download comes from dl.google.com while the checksum is published on golang.org.

FWIW the macOS pkg you download is signed.

j / k navigate · click thread line to collapse