Re: PGP signing releases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> So you put the MD5 sum into the release announcement email. That is
> downloaded by many people and also archived in many distributed places
> that we don't control, so it would be very hard to tamper with.
> ISTM that this gives you the same result as a PGP signature but with
> much less administrative overhead.

Not the same results. For one thing, the mailing announcement may be
archived on google, but asking people to search google for an MD5 sum
as they download the tarball is hardly feasible. Second, it still does
not prevent someone from breaking into the server and replacing the
tarball with their own version, and their own MD5 checksum. Or maybe
just one of the mirrors. Users are not going to know to compare that
MD5 with versions on the web somewhere. Third, is does not allow a
positive history to be built up due to signing many releases over time.
With PGP, someone can be assured that the 9.1 tarball they just
downloaded was signed by the same key that signed the 7.3 tarball
they've been using for 2 years. Fourth, only with PGP can you trace
your key to the one that signed the tarball, an additional level of
security. MD5 provides an integrity check only. Any security it
affords (such as storing the MD5 sum elsewhere) is trivial and
should not be considered when using PGP is standard, easy to implement,
and has none of MD5s weaknesses.

- --
Greg Sabino Mullane greg(at)turnstep(dot)com
PGP Key: 0x14964AC8 200302102250
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE+SA4AvJuQZxSWSsgRAhenAKDu0vlUBC5Eodyt2OxTG6el++BJZACguR2i
GGLAzhtA7Tt9w4RUYXY4g2U=
=3ryu
-----END PGP SIGNATURE-----