Ian Holsman wrote on Thu, Oct 11, 2012 at 10:53:11 +1100: > > On Oct 11, 2012, at 10:44 AM, Greg Stein <gst...@gmail.com> wrote: > > > > > (assume secure Infrastructure) > > That's a pretty big assumption isn't it? > There have been public instances where open source infrastructures have been > hacked, and releases have been messed with. > > I think keys removes the need for the assumption.
Signatures also allow verifying "whoever signed <this> tarball is the same person who signed the previous tarball". Hash functions don't do that. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org