On 05.11.2013, at 11:01, Andreas Schneider <[email protected]> wrote:
> On Tuesday 05 November 2013 08:12:37 Frank Karlitschek wrote: >> On 05.11.2013, at 06:17, Andreas Schneider <[email protected]> wrote: >>> On Tuesday 05 November 2013 10:03:23 Timothée Ravier wrote: >>>> On Wed, Oct 30, 2013 at 12:48 PM, Frank Karlitschek >>> >>> <[email protected]>wrote: >>>>> We also sign the downloads and releases from now on with an GPG key. >>>>> The official ownCloud GPG key is attached to this email and will be >>>>> linked >>>>> on the website. >>>>> >>>>> http://download.owncloud.org/community/testing/owncloud-6.0.0beta2.tar.b >>>>> z2 >>>>> >>>>> http://download.owncloud.org/community/testing/owncloud-6.0.0beta2.tar.b >>>>> z2 >>>>> .asc >>> >>> Frank, >>> >>> you need to sign the tar file not the zipped tar file ;) >> >> Perhaps I'm missing something but: >> Why? > > It is much easier to find/produce collisions with compressed files. > > See e.g. > > http://cryptography.hyperlink.cz/2004/otherformats.html > > This is the reason why the the projects do a checksum on the tar file and not > on the compressed file, see: > > https://www.kernel.org/signature.html > https://www.samba.org/samba/download/ O.K. Thanks for the tip. I will look it. Frank > > > -- andreas > > -- > Andreas Schneider GPG-ID: CC014E3D > www.cryptomilk.org [email protected] _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
