incubator-depot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Markus M. May" <m...@gmx.net>
Subject Re: MD5 Hash
Date Wed, 11 Feb 2004 16:34:37 GMT
I think in the same direction. First I will try to compare the generated
hash with the hash from the mirror. In a second step I will then try to
determine the original .md5 file and compare to this one.
Basically the web-of-trust is pretty hard to automate right now. You already
have a KEYS file with quite a lot of keys, but you cannot tell which key
signed the file. There is no way to do this (or i missed it). So right now, I
will concentrate on the MD5-stuff. 

Markus

> > Basically the MD5 Hash does not need keys.
> > [...]
> > Also apache.org delivers a file named .asc
> 
> Ok, thanks, I get it now (I think.)
> 
> This explains some of the negative comments I've heard about MD5 then (it
> not being too strong). I read on some, on one Apache list, that folks will
> be ok with this being strong enough though. What will be tricky for us,
> should we chose to attempt it, will be supporting mirrors yet using the
> original MD5 from Apache...
> 
> Since ASC has keys, that ties in to the 'web of trust' that Apache is
> working on, I think. Once on trusts a certain set of keys, those keys can
> be
> used to verify others that are acquired, and those can be used to verify
> the
> ASC. This is much harder to automate, but something we could aspire to...
> 
> regards,
> 
> Adam
> 


Mime
View raw message