On Sun, 14 Nov 2004, Tony Baechler wrote:
At 07:12 AM 11/14/2004 -0600, you wrote:
It appears that we need to modify the PG web site to include checksum and CRC data on each of our files to provide a mechanism of verifying that they have not been nefariously modified after download, so "my" electronic copy can be judged the same as "your" electronic copy.
Yes, but even CRC, hash or md5 values can be forged. All someone would need to do is somehow compromise the PG server. That has happened with a main Debian and gnu server already. How would we make sure that the hashes are real? One solution is gpg signatures, but then someone needs to download and install gpg, a tool to verify the hash, plus the actual text file. The average user won't know how to do this and wouldn't even if they could. Not to mention that the hash and signature process would have to be done every time one byte is changed in the original, such as for correcting errors.
Nothing more is needed for this than "compare." This has been discussed widely over the years, and the simple and easy solution, for those who really want to test the files, is simply to get a few copies of the eBook in question from some different sources and test them with any of the various "file compare" programs that come with virtually all operating systems. Thus, even if just one ";" were changed to a ":" it would show up immediately, something that a careful proofreader might still miss. This totally avoids the possibility raise above of forged CRCs or hashes, and eliminated a need for any extra work on eBook preparation. Anyone can run the tests, themselves, without a reliance on outside authorities to tell them if one eBook edition is any different than another, and exactly how different it is. Simple, fast and effective, the way the entire eBook process should be. Michael S. Hart