Quick Links

Re: PGP signing releases

From:	Peter Eisentraut <peter_e(at)gmx(dot)net>
To:	Curt Sampson <cjs(at)cynic(dot)net>
Cc:	Kurt Roeckx <Q(at)ping(dot)be>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: PGP signing releases
Date:	2003-02-10 19:12:44
Message-ID:	Pine.LNX.4.44.0302101523510.6138-100000@peter.localdomain
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Curt Sampson writes:

> MD5, or any other unsigned check, makes sense from a security point of
> view only if it is stored independently from the thing you are checking.

So you put the MD5 sum into the release announcement email. That is
downloaded by many people and also archived in many distributed places
that we don't control, so it would be very hard to tamper with. ISTM that
this gives you the same result as a PGP signature but with much less
administrative overhead.

--
Peter Eisentraut peter_e(at)gmx(dot)net

In response to

Re: PGP signing releases at 2003-02-04 23:00:06 from Curt Sampson

Responses

Re: PGP signing releases at 2003-02-11 03:57:13 from greg

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Peter Eisentraut	2003-02-10 19:13:12	Re: 7.2 -> 7.3 incompatibility
Previous Message	Robert Osowiecki	2003-02-10 19:12:01	Views and unique indicies optimisation