Adam R. B. Jack wrote:
Hmm, what makes folk think that the file could be changed without the MD5 hash file being changed also. I feel there has to be some private key from the originator, to ensure that nobody could fake both.
The MD5 should always come from the authoritative source (apache.org) using https.
How are we going to know what the "authoritative" source for a resource is. For java we could enforce a reverse domain name.
ie packages like org.apache.... must get a md5 for an apache.org website.
So, if there are such keys, how do we acquire them? How do we trust them?
regards
Adam
