www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niclas Hedhman" <nic...@hedhman.org>
Subject Re: Summary
Date Thu, 02 Mar 2006 02:09:18 GMT
On 3/2/06, Brett Porter <brett.porter@gmail.com> wrote:
> I understand, but that requires that you get and importa keys, which
> is a much more sophisticated operation. All we are using the sha1 for
> is to check that the download didn't get cut off halfway through.

I think Brett has a point. Keep the md5 and/or sha1 for simple download
verification, at least for quite a while. Meanwhile, Maven folks and we who
do those automated download tools, can start look into a pgp driven solution
which solves both the download integrity concern as well as the security
aspects. But I think that will take a year or two, before it has been pushed
out and can replace the checksum...


View raw message