Hi Are there any plans to provide any kind of verification for the tar-balls from php.net (md5, gpg, whatever)? Due to the latest incidents (openssh et al..) more people are aware of the fact, that changed sources could be a problem.
I know, you're talking about providing this stuff to pear, but what about the actual php-sources? It shouldn't be a problem to add some md5 stuff to each tarball (for the time being). At least one could then be sure, that the mirrors (where we all download our sources ;) ) didn't compromise it (if I download the md5 sig from another server...). Using GPG (or openssl as discussed some days ago) would provide more security than just md5, but maybe we should waiting for the verifying pear-installer for doing that. chregu -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
