Hi Ken, > I guess I was thinking if the concern is the distribution has been > compromised by attackers they could produce a bogus hash file, but not > a GPG signature (at least hopefully not one signed by me).
True, but some won't bother with checking a GPG signature, is it `gpg --verify foo.sig foo'?, but will run sha1sum(1) or similar, so the more the merrier. And it's more being able to check this file is complete and correct, especially if I've dredged it up some years later and want to check it's the right, final, one. They'd have to modify your announcement email too. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
