Hash: SHA1

> So you put the MD5 sum into the release announcement email.  That is
> downloaded by many people and also archived in many distributed places
> that we don't control, so it would be very hard to tamper with.  
> ISTM that this gives you the same result as a PGP signature but with 
> much less administrative overhead.

Not the same results. For one thing, the mailing announcement may be 
archived on google, but asking people to search google for an MD5 sum 
as they download the tarball is hardly feasible. Second, it still does 
not prevent someone from breaking into the server and replacing the 
tarball with their own version, and their own MD5 checksum. Or maybe 
just one of the mirrors. Users are not going to know to compare that 
MD5 with versions on the web somewhere. Third, is does not allow a 
positive history to be built up due to signing many releases over time. 
With PGP, someone can be assured that the 9.1 tarball they just 
downloaded was signed by the same key that signed the 7.3 tarball 
they've been using for 2 years. Fourth, only with PGP can you trace 
your key to the one that signed the tarball, an additional level of 
security. MD5 provides an integrity check only. Any security it 
affords (such as storing the MD5 sum elsewhere) is trivial and 
should not be considered when using PGP is standard, easy to implement,
and has none of MD5s weaknesses.

- --
Greg Sabino Mullane  [EMAIL PROTECTED]
PGP Key: 0x14964AC8 200302102250
Comment: http://www.turnstep.com/pgp.html


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to