Recently, a trend has occurred in which a malicious Trojan horse is hidden in popular open source programs. The authors of the programs do not do this. Instead, it is done by attackers modifying the source at distribution points such as ftp download sites. The best way to ensure you don't install software that has been modified after the authors created the ZIP or TAR file is to check either the MD5 message digest or the GPG signature of the files you download. The latter is significantly better than the former because the attacker could have easily changed the MD5 value as well.

In this appendix, we walk through the process of verifying the code you download.