| From: | Kurt Roeckx <Q(at)ping(dot)be> |
|---|---|
| To: | Greg Copeland <greg(at)CopelandConsulting(dot)Net> |
| Cc: | "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>, Neil Conway <neilc(at)samurai(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PGP signing releases |
| Date: | 2003-02-03 19:55:03 |
| Message-ID: | 20030203195503.GA12917@ping.be |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
> On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
>
> > right, that is why we started to provide md5 checksums ...
>
> md5 checksums only validate that the intended package (trojaned or
> legit) has been properly received. They offer nothing from a security
> perspective unless the checksums have been signed with a key which can
> be readily validated from multiple independent sources.
If you can get the md5 sum of "multiple independent sources",
it's about the same thing. It all depends on how much you trust
those sources.
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp keys to be the real one either.
Kurt
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2003-02-03 20:06:45 | Re: Win32 Powerfail testing - results |
| Previous Message | Dave Page | 2003-02-03 19:54:15 | Re: Win32 Powerfail testing - results |