httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: 1.2.1
Date Sun, 06 Jul 1997 17:27:07 GMT
On Sun, 6 Jul 1997, Rodent of Unusual Size wrote:

> >From the fingers of Marc Slemko flowed the following:
> >
> >> It allows people to check for tampered-with source on mirrors.
> >
> >md5 lets you do that too, and is the main reason I would use it if I were
> >a user.
> >
> >Get the md5 hash from the main site, get the tarball from a closer mirror,
> >compare the hashes.  Much easier for me on OSes with md5 already installed
> >than installing pgp, getting the keys, etc, etc. 
>     So?  It's easier for *you*, but it's not easier for *me*.  My system
>     doesn't have md5, but it does have PGP.

Get a real OS. <g>

>     So let's sign it both ways.  MD5 says, "file a is the same as file
>     b;" PGP says, "file a is the same as file b, and Joe Bonehead
>     attests to the validity of file a."

Of course.  I wasn't advocating not doing a PGP signature, just that a md5
hash could be useful. 

Unless we start placing md5 hashes on a bunch of other unrelated servers
for verification, md5 hashes give absolutely zilch in the way of
assurances that taz hasn't been hacked. 

>     Downloaders that care can use whichever method they like.
>     #ken    :-)}

View raw message