Download security

smo · March 2, 2015, 2:04pm

Hi there,

the syncthing downloads reside at amazon cloud storage, the md5 sums to. How do you prevent anyone, eg federal intelligence, which easy can get access to amazons storage to change the downloads and checksums? I want to choose syncthing instead btsync, because syncthing is open source and may be more resistant to security letters. But Amazon isn’t. How i can be shure, the syncthing on Amazon is yours, and not modified without checking oit the sourcode from github for each system and buidling by myself? Sounds paranoid, but it´s known they do anything they can to get access to all what they can get.

Regards Steve

jpjp · March 2, 2015, 3:16pm

Did you have a look at http://syncthing.net/security.html ?

smo · March 2, 2015, 3:43pm

No, sorry, I didn’t recongnise the link. Thank you very much.

Sincerelly, Steve

calmh · March 2, 2015, 7:18pm

What you can do is make sure you verify the checksums using the correct PGP key. That way you know they haven’t been tampered with. The website linked above isn’t beyond tampering either, but the source is on Github and the key ID is mentioned in other places like here: the fingerprint of the release@syncthing.net key should be D26E6ED000654A3E.