httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Bad key from your id on Apache Windows Binary
Date Mon, 05 Mar 2007 20:03:38 GMT


On 03/05/2007 05:12 PM, Joshua Slive wrote:

> 
> In general, for the average downloader, establishing a trust
> relationship to the signer is going to be pretty difficult.  If you
> trust apache.org, then just verifying the md5 signature is enough.  If

As discussed in different places (not sure whether on dev@httpd.apache.org or
dev@apr.apache.org) md5 can be only seen as some sort of checksum today
to find transmission errors. It is not really useful any longer to detect
deliberate changes of the files.

> you don't trust apache.org (and really, you shouldn't), you'll need to
> find some out-of-band way to verify either the md5 or the pgp key.

At least obtaining the KEYS file via

http_s_://svn.apache.org/viewvc/httpd/site/trunk/dist/KEYS?revision=494598

should increase the trust in the KEYS file and it contents (provided that
our repository has not been hacked).

Regards

RĂ¼diger


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message