| > The NSRL dataset has signatures that are typically used to verify both integrity and veracity.
> http://www.nsrl.nist.gov/RDS/rds_2.54/split-hash.txt Can you explain this signature scheme? I'm not familiar with it. The link you provided just appears to show hashes and sizes for a file that has been split into four pieces. > Alleging the NSRL is untrustworty is inconsistent with the track record of the NSRL and NIST scientists. I'd just like to point out that neither I nor anyone else here has alleged that. > Please be aware that there are thousands of forensic experts who have relied on the NSRL over the last decade or more as a basis for testimony in court. Those experts verify hashes for everything they do, and for every case, and as a result there has been significant amount of independent peer review of the contents. I'm genuinely glad to hear that! That's good to know. > While Codehash.db provides a hash for a package, the NSRL provides hashes for individual installed files. I don't think that's necessarily true. Codehash.db is open to hashes for anything (source code, ISO, package, binary installer). > This in no way diminishes the value of the Codehash.db design. They target different use cases. Likewise, my remarks aren't meant to be in any way derogatory toward the NSRL. As far as I'm concerned, it's OK if they do, in the final analysis, target the same use case. If that's the case, the best solution should be adopted, whichever one that turns out to be. :) |