Re: PGP signing release

Marc G. Fournier <scrappy@hub.org>

From: "Marc G. Fournier" <scrappy@hub.org>
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: Greg Copeland <greg@CopelandConsulting.Net>, Curt Sampson <cjs@cynic.net>, PostgresSQL Hackers Mailing List <pgsql-hackers@postgresql.org>
Date: 2003-02-12T04:55:28Z
Lists: pgsql-hackers
On Tue, 11 Feb 2003, Bruce Momjian wrote:

>
> I hate to poo-poo this, but this "web of trust" sounds more like a "web
> of confusion".  I liked the idea of mentioning the MD5 in the email
> announcement.  It doesn't require much extra work, and doesn't require a
> 'web of %$*&" to be set up to check things.  Yea, it isn't as secure as
> going through the motions, but if someone breaks into that FTP server
> and changes the tarball and MD5 file, we have much bigger problems than
> someone modifying the tarballs;  our CVS is on that machine too.

Its so rare that it happens, but I do agree with Bruce :)

Justin, one thought ... storing the MD5s in the database for the
postgresql.org site, so that ppl can compare the two places?  We'd
*really* have to be compromised for that to fail, but adding the md5s
would be easy enough ...