incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <...@apache.org>
Subject Re: key signing
Date Thu, 11 Oct 2012 08:01:33 GMT

On 11 Oct 2012, at 00:44, Greg Stein wrote:

> Please explain how "keys" are needed for this ASF release? Consumers are
> already told to verify the SHA1 and nothing more. I doubt any more is
> needed.

SHA1 offers no more protection than a checksum against MITM attack.

> (assume secure Infrastructure)

You have to extend that assumption not only to our infrastructure but to
every proxy that might come between us and a user, and that might
substitute a trojan along with the trojan's own SHA1.

-- 
Nick Kew

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message