On Monday, 14 February 2022 at 18:12:25 UTC, Era Scarecrow wrote:
For Linux sources there's MD5 and SHA-1 hashes i believe. If you have two or three hashes for comparison, the likelyhood of someone changing something without those two changing seems VEEEERY low.
I usually grab the sources from github, but for binaries I'd like higher resolution SHAs presented on a secured server, different from the one hosting the files. The main concern is that hackers might obtain the access to both the binary and the website that presents the SHA…
PGP is good in theory, but if the keys are presented in a context that isn't secured then what good use it is? There ought to be some central authority for PGP/GPG, it isn't all that difficult to implement either. The central authority could verify the email. Without that SHA is easier to deal with…
