I think in the same direction. First I will try to compare the generated hash with the hash from the mirror. In a second step I will then try to determine the original .md5 file and compare to this one. Basically the web-of-trust is pretty hard to automate right now. You already have a KEYS file with quite a lot of keys, but you cannot tell which key signed the file. There is no way to do this (or i missed it). So right now, I will concentrate on the MD5-stuff.
Markus > > Basically the MD5 Hash does not need keys. > > [...] > > Also apache.org delivers a file named .asc > > Ok, thanks, I get it now (I think.) > > This explains some of the negative comments I've heard about MD5 then (it > not being too strong). I read on some, on one Apache list, that folks will > be ok with this being strong enough though. What will be tricky for us, > should we chose to attempt it, will be supporting mirrors yet using the > original MD5 from Apache... > > Since ASC has keys, that ties in to the 'web of trust' that Apache is > working on, I think. Once on trusts a certain set of keys, those keys can > be > used to verify others that are acquired, and those can be used to verify > the > ASC. This is much harder to automate, but something we could aspire to... > > regards, > > Adam >
