On Mon, Jul 30, 2018 at 07:41:33PM +0200, Tim Düsterhus wrote: > Willy, > > Am 30.07.2018 um 18:05 schrieb Willy Tarreau: > > A small update happened to the download directory, the sha256 of the > > tar.gz files are now present in addition to the (quite old) md5 ones. > > We may start to think about phasing md5 signatures out, for example > > after 1.9 is released. > > I'd even like to see PGP signatures, like you already do for the git > tags (but not the Tarballs). But this is a greater change than just > updating the checksums :-)
I know and I've already thought about it. But I personally refuse to store my PGP key on any exposed machine. Right now in order to tag, I have to SSH into an isolated machine, run "git pull --tags", create-release, and "git push --tags". Then I upload the release. What I don't like with PGP on an exposed machine is that it reduces the size of your 4096-bit key to the size of your passphrase (which most often contains much less than the ~700 characters it would need to be as large), and also increases your ability to get fooled into entering it. Some would call me paranoid, but I don't think I am, I'm just trying to keep a balanced level of security, knowing that the global one is not better than the weakest point. If I wanted to sign the images, it would require to find a different release method and would significantly complicate the procedure. Willy