Re: PGP signing releases

Greg Copeland <greg@copelandconsulting.net>

From: Greg Copeland <greg@CopelandConsulting.Net>
To: "Marc G. Fournier" <scrappy@hub.org>
Cc: Neil Conway <neilc@samurai.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2003-02-03T18:24:14Z
Lists: pgsql-hackers
On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:

> right, that is why we started to provide md5 checksums ...

md5 checksums only validate that the intended package (trojaned or
legit) has been properly received.  They offer nothing from a security
perspective unless the checksums have been signed with a key which can
be readily validated from multiple independent sources.

Regards,

-- 
Greg Copeland <greg@copelandconsulting.net>
Copeland Computer Consulting