robert burrell donkin wrote:
> IMO signatures are more important (than md5 sums) for the ASF and
> less important for users. md5 sums are quick and easy to understand.
If we were ever hacked, MD5 sums could be replaced without detection. That
cannot be done with PGP keys, and we have had people e-mail our security
folks when they cannot locate the key for checking. I'd sooner have files
uploaded signed, and generate the MD5s locally if missing.
> what would be useful is a list of fingerprints for code signing keys on
> the website. it would also give an extra independent security layer.
We have KEYS, which is supposed to have the public key, and we have a new
server in the UK that is supposed to provide certificate based services for
the ASF.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
