Re: PGP signing release
Marc G. Fournier <scrappy@hub.org>
From: "Marc G. Fournier" <scrappy@hub.org>
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: Greg Copeland <greg@CopelandConsulting.Net>, Curt Sampson <cjs@cynic.net>, PostgresSQL Hackers Mailing List <pgsql-hackers@postgresql.org>
Date: 2003-02-12T04:55:28Z
Lists: pgsql-hackers
On Tue, 11 Feb 2003, Bruce Momjian wrote: > > I hate to poo-poo this, but this "web of trust" sounds more like a "web > of confusion". I liked the idea of mentioning the MD5 in the email > announcement. It doesn't require much extra work, and doesn't require a > 'web of %$*&" to be set up to check things. Yea, it isn't as secure as > going through the motions, but if someone breaks into that FTP server > and changes the tarball and MD5 file, we have much bigger problems than > someone modifying the tarballs; our CVS is on that machine too. Its so rare that it happens, but I do agree with Bruce :) Justin, one thought ... storing the MD5s in the database for the postgresql.org site, so that ppl can compare the two places? We'd *really* have to be compromised for that to fail, but adding the md5s would be easy enough ...