httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55808] File integrity verification using MD5 and SHA1
Date Wed, 13 Jan 2016 22:54:33 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=55808

--- Comment #8 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to fedor.brunner from comment #6)
> 
> So the integrity of the downloaded file would be tied to the TLS security of
> apache.org and SHA-1 security.

The user is expected to trust TLS for the route to apache.org, apache.org from
the integrity of /dist/ (where the original and its digests/signature land),
and finally MD5/SHA1/PGP for the integrity of the tarball.

So a tarball from any other location should still be verified against
digest/signatures from apache.org/dist/, not mirror's.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message