On mån, 2009-12-14 at 17:00 -0300, Alvaro Herrera wrote:
> Magnus Hagander wrote:
> > Yes.
> >
> > Ideally, we should serve up the MD5s from an SSL enabled webserver.
> > Something to think about for the future.
>
> Shouldn't we distribute the MD5 signatures along the release message,
> which should itself be signed with some appropriate GPG key?
Someone was doing this a while ago on their own.
But the usual argument for the md5 files in the past was to catch
download mistakes, not security.