incubator-depot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Chalko <>
Subject Re: MD5 Hash
Date Wed, 11 Feb 2004 16:43:24 GMT
Adam R. B. Jack wrote:

>Hmm, what makes folk think that the file could be changed without the MD5
>hash file being changed also. I feel there has to be some private key from
>the originator, to ensure that nobody could fake both.
The MD5 should always come from the authoritative source (
using https.

How are we going to know what the "authoritative" source for a resource
For java we could enforce a reverse domain name.

ie  packages  like org.apache....   must get a md5 for an

>So, if there are such keys, how do we acquire them? How do we trust them?

View raw message