incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: key signing
Date Thu, 11 Oct 2012 08:01:33 GMT

On 11 Oct 2012, at 00:44, Greg Stein wrote:

> Please explain how "keys" are needed for this ASF release? Consumers are
> already told to verify the SHA1 and nothing more. I doubt any more is
> needed.

SHA1 offers no more protection than a checksum against MITM attack.

> (assume secure Infrastructure)

You have to extend that assumption not only to our infrastructure but to
every proxy that might come between us and a user, and that might
substitute a trojan along with the trojan's own SHA1.

Nick Kew

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message