On 03/05/2007 05:12 PM, Joshua Slive wrote:
> > In general, for the average downloader, establishing a trust > relationship to the signer is going to be pretty difficult. If you > trust apache.org, then just verifying the md5 signature is enough. If As discussed in different places (not sure whether on [email protected] or [email protected]) md5 can be only seen as some sort of checksum today to find transmission errors. It is not really useful any longer to detect deliberate changes of the files. > you don't trust apache.org (and really, you shouldn't), you'll need to > find some out-of-band way to verify either the md5 or the pgp key. At least obtaining the KEYS file via http_s_://svn.apache.org/viewvc/httpd/site/trunk/dist/KEYS?revision=494598 should increase the trust in the KEYS file and it contents (provided that our repository has not been hacked). Regards RĂ¼diger --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
