Re: PGP signing releases
Peter Eisentraut <peter_e@gmx.net>
From: Peter Eisentraut <peter_e@gmx.net>
To: Curt Sampson <cjs@cynic.net>
Cc: Kurt Roeckx <Q@ping.be>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2003-02-10T19:12:44Z
Lists: pgsql-hackers
Curt Sampson writes: > MD5, or any other unsigned check, makes sense from a security point of > view only if it is stored independently from the thing you are checking. So you put the MD5 sum into the release announcement email. That is downloaded by many people and also archived in many distributed places that we don't control, so it would be very hard to tamper with. ISTM that this gives you the same result as a PGP signature but with much less administrative overhead. -- Peter Eisentraut peter_e@gmx.net