On Tue, Apr 24, 2001 at 07:12:44PM -0400, Michael Stone wrote: > > nonononono! We *already* have the md5's available in a web-accessible > form in the mailing list archives. Having them on the wml pages is a Bad > Thing. There is no associated signature to validate that the md5's > haven't been tampered with. It is likely that anyone who could modify > the binaries on pandora could *also* modify the web pages. Adding md5's > to the web pages is a dangerously misleading false sense of security. > Anyone who wants this information for the purpose of validating a > security upload *must* use the pgp-signed version *already available.* > They were requested by Wichert and Joey, so make sure they agree.
At a minimum, there should be a link to the appropriate page in the list archives. -- James (Jay) Treacy [EMAIL PROTECTED]
