On Tuesday 05 November 2013 08:12:37 Frank Karlitschek wrote: > On 05.11.2013, at 06:17, Andreas Schneider <[email protected]> wrote: > > On Tuesday 05 November 2013 10:03:23 Timothée Ravier wrote: > >> On Wed, Oct 30, 2013 at 12:48 PM, Frank Karlitschek > > > > <[email protected]>wrote: > >>> We also sign the downloads and releases from now on with an GPG key. > >>> The official ownCloud GPG key is attached to this email and will be > >>> linked > >>> on the website. > >>> > >>> http://download.owncloud.org/community/testing/owncloud-6.0.0beta2.tar.b > >>> z2 > >>> > >>> http://download.owncloud.org/community/testing/owncloud-6.0.0beta2.tar.b > >>> z2 > >>> .asc > > > > Frank, > > > > you need to sign the tar file not the zipped tar file ;) > > Perhaps I'm missing something but: > Why?
It is much easier to find/produce collisions with compressed files. See e.g. http://cryptography.hyperlink.cz/2004/otherformats.html This is the reason why the the projects do a checksum on the tar file and not on the compressed file, see: https://www.kernel.org/signature.html https://www.samba.org/samba/download/ -- andreas -- Andreas Schneider GPG-ID: CC014E3D www.cryptomilk.org [email protected] _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
