> DON’T: Put FreeBSD-8.0-RELEASE-amd64-disc1.iso and CHECKSUM.SHA256 onto the same FTP server and think that you’ve done something useful.
I take it the FTP got compromised and people simply regenerated the checksum for a modified image?
Wouldn't signing the checksum file solve the problem? Using different FTP servers for distributing the image and the checksums makes mirroring probably difficult.
I'm not aware of any problems with FreeBSD FTP mirrors being compromised recently. I wanted an example of data-adjacent-to-hash and most of the audience was FreeBSD people, so I figured that I'd go with an example close to home.
Wouldn't signing the checksum file solve the problem?
Yes. Or just relying on the FreeBSD release announcements, which contain SHA256 hashes and are signed.