[Rd] Wrongly checked MD5 checksums in R 3.2.0's windows binary
Duncan Murdoch
murdoch.duncan at gmail.com
Mon May 11 15:53:30 CEST 2015
On 11/05/2015 9:35 AM, Tal Galili wrote:
> Hi Duncan,
> Thank you for the clarification. :)
>
> I ended up removing these files from being scanned in the updated
> version of installr. I would rather focus on supporting an MD5 scan
> that is based on what is listed in MD5 file itself (ignoring
> exceptions that are not clearly stated in the file).
>
I'm not sure what the purpose is of your test, but if it is to detect
modified files, that might not be a good strategy. A malicious agent
could install fake bin/R.exe or bin/Rscript.exe and not be caught.
Of course, if they knew to modify those two files but not any others,
they would know enough to also install a fake MD5 file, and then there's
basically nothing you could do.
Duncan
More information about the R-devel
mailing list