VOGONS

Common searches


First post, by malicious

User metadata
Rank Newbie
Rank
Newbie

The thread on an alternative download site for DOSBox brought up an interesting question, that is how to trust an unofficial mirror with no established reputation. The suggestion to ask the developers for their blessing before putting up such a mirror is well and good as a matter of courtesy but that alone doesn't solve the problem. Even if the developers have the time and interest to audit a fan site once for initial approval, they would also need to repeat the process on an ongoing basis to ensure that the site remains a trustworthy source for the project's files. My guess is the DOSBox developers don't want that extra work.

Another possible solution is to digitally sign files or provide official cryptographic hashes for them. That would allow users to verify the integrity of the files regardless of where they're downloaded from, be it a fan site or SourceForge should they experiment with injecting adware into project files again.

Reply 1 of 4, by Yesterplay80

User metadata
Rank Member
Rank
Member
malicious wrote:

Another possible solution is to digitally sign files or provide official cryptographic hashes for them.

Tada! 😉

DOSBox checksums on SourceForge.JPG
Filename
DOSBox checksums on SourceForge.JPG
File size
95.17 KiB
Views
295 views
File license
Fair use/fair dealing exception

My full-featured DOSBox SVN builds (without debugger) for Windows: Vanilla DOSBox and DOSBox ECE (Enhanced Community Edition)

Reply 3 of 4, by Kerr Avon

User metadata
Rank Oldbie
Rank
Oldbie

Would it be possible to make the (legitimate) file, when run, check itself to make sure it's not been modified in any way, and if it has been altered then it could stop installation and say

"Warning: This file has been modified, possibly maliciously, and so installation has been aborted.

Instead, download the legitimate version from https://www.dosbox.com/"

Granted, if whoever modified the file were skilled enough, then he could alter the checksum or bypass the check altogether, so it might necessitate some sort of encryption of the checksum routines, though since we're talking about a freeware program and not a commercial game then at least it wouldn't be a target for either the "Look how clever I am" hackers, or the talented (but misguided) hackers who hack commercially games' protection systems.

Reply 4 of 4, by collector

User metadata
Rank l33t
Rank
l33t

That is already part of NSIS, the install system that DOSBox uses. Of course there is nothing to prevent someone from repacking the contents into their own installer. But that would be the same possibility with any install system.

The Sierra Help Pages -- New Sierra Game Installers -- Sierra Game Patches -- New Non-Sierra Game Installers