incubator-depot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Chalko <n...@chalko.com>
Subject Re: MD5 Hash
Date Wed, 11 Feb 2004 16:43:24 GMT
Adam R. B. Jack wrote:

>Hmm, what makes folk think that the file could be changed without the MD5
>hash file being changed also. I feel there has to be some private key from
>the originator, to ensure that nobody could fake both.
>
>  
>
The MD5 should always come from the authoritative source (apache.org)
using https.

How are we going to know what the "authoritative" source for a resource
is.
For java we could enforce a reverse domain name.

ie  packages  like org.apache....   must get a md5 for an apache.org
website.

>So, if there are such keys, how do we acquire them? How do we trust them?
>
>regards
>
>Adam
>  
>



Mime
View raw message