httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: 1.3b2 tarball
Date Mon, 20 Oct 1997 21:35:32 GMT
Because that is useless.  The purpose is not just to verify that mirrors
are correct (md5 checksums do that), but also to verify that the
distribution source hasn't been hacked.

That requires that developers independently sign it using their own key
which is not vulnerable if taz is compromised.

On Mon, 20 Oct 1997, Lars Eilebrecht wrote:

> According to Rob Hartill:
> 
> [...]
> >  How would one use pgp on taz without storing your "guard it with
> >  your life" secret key on taz ?
> >  
> >  Pgp's only as good as the security of the secret key isn't it ?
> >  We may be stuck signing stuff remotely.
> 
> How about one 'official' Apache Group PGP key signed by all
> Apache Group members? The key can be stored on taz rsp. given to
> all members and no one has to use a private PGP key.
> 
> Just my 0.02$ :-)
> 
> 
> ciao...
> -- 
> Lars Eilebrecht                       - Any sufficiently advanced bug...
> sfx@unix-ag.org                     - is indistinguishable from a feature.
> http://www.si.unix-ag.org/~sfx/
> 


Mime
View raw message