Jeroen van Meeuwen wrote:
> The goal is, of course, to verify the .iso against what is listed as
> it's sha256sum. Whether the tools ultimately come from the same
> source doesn't matter. It should, though, be advisable to not
> include the sha246sum.exe on the mirrors, and only serve the file
> over http over ssl.

Indeed, that's the plan.  It would be served up via SSL, just as the
GPG keys and *-CHECKSUM files are currently.  That way, if someone
comes to, they at least have our SSL
certificate as a starting point for trust.

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
Chemistry is applied theology.
    -- Augustus Owsley Stanley

Attachment: pgp0qos7fFgIc.pgp
Description: PGP signature

Fedora-infrastructure-list mailing list

Reply via email to