Regarding authenticity of kitchen sink

[Dragas]

Hi!

I couldn't help but notice that you only provide an HTTPS link to remotely hosted kitchen sink image. In some edge cases it is possible to perform a DNS poisoning attack which would make sure that a nasty, bathroom sink, is returned instead. How do you ensure that the link, does in fact point to your provided kitchen sink and will not go down when it matters the most? Can you suggest any alternatives regarding your distribution method?

[kaliumxyz]

We have discussed it and concluded on a multitude of methods to both defend against this attack and to ensure the persistence of the kitchen sink assets. We should calculate and check against a hard-coded checksum to ensure that the kitchen sink assets are both integer and to if failing go to a fallback asset provider. For fallback providers we would have a list which we can try to fetch the assets from in parallel, using whichever is fetched first (and passes the check). Another good idea to ensure the persistence of the assets is to host them on the IPFS and to peer to retrieve the assets.

We want to ensure any parties concerned that this potential security issue is our current top priority and that a patch will be released later this day.