httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: [STATUS] Tue Jun 3 13:32:51 EDT 1997
Date Tue, 03 Jun 1997 18:56:56 GMT
Marc Slemko wrote:
> Oh, and even if we don't start signing releases we should provide a md5
> hash on the web site for all source and binaries.  Easy to make, easy to
> verify, lets someone download from a mirror and then just verify the hash
> with the main site, etc.

I've been thinking about signing. I think we should circulate the keys of the
developers with the source. The MD5 hashes of the distribution can be detached
signed by as many developers as can be bothered, and those signatures rolled
into the final release.

If there's agreement, I'd suggest we create a KEYS file at the top of the CVS
repository, and sling our keys into it. We should also create a signatures
directory, which is where we put our signatures and the MD5 hashes. Signature
files would be named with the email address of the signer. This would have an
incidental side-effect of signing the CVS source tree at particular points,



Ben Laurie                Phone: +44 (181) 994 6435  Email:
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL:
A.L. Digital Ltd,         Apache Group member (
London, England.          Apache-SSL author

View raw message