"Marc G. Fournier" <[EMAIL PROTECTED]> writes: > On Sun, 2 Feb 2003, Neil Conway wrote: >> - ensuring that end users can trust PostgreSQL is an important part to >> getting the product used in mission-critical applications, as I'm sure >> you all know. Part of that is producing good software; another part is >> ensuring that users can trust that the software we put out hasn't been >> tampered with.
> right, that is why we started to provide md5 checksums ... The md5 checksum is useful as a cross-check that you've got a clean copy, but it doesn't prove that the copy on the FTP site hasn't been tampered with. Someone who's managed to break into the FTP server could replace the tarball with a trojaned version *and* alter the md5 file to match. The point of a PGP signature is that only someone who has the corresponding secret key could make a signature file that matches the tarball and the public key. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])