On 18 Jul 2004, at 01:03, Noel J. Bergman wrote:
robert burrell donkin wrote:IMO signatures are more important (than md5 sums) for the ASF and less important for users. md5 sums are quick and easy to understand.
If we were ever hacked, MD5 sums could be replaced without detection. That
cannot be done with PGP keys, and we have had people e-mail our security
folks when they cannot locate the key for checking. I'd sooner have files
uploaded signed, and generate the MD5s locally if missing.
+1
the added security is more than worth the small amount of additional effort required from release managers.
we need better documentation, though, both for release managers and users. there used to be some reasonably good pages on the old wiki. is there any consensus about where the right place for this kind of information is?
what would be useful is a list of fingerprints for code signing keys on
the website. it would also give an extra independent security layer.
We have KEYS, which is supposed to have the public key, and we have a new
server in the UK that is supposed to provide certificate based services for
the ASF.
it'll be cool when that's up and running.
i'd like to encourage those who verify signatures for downloads to check fingerprints for the key from a page whose contents are stored in CVS and ideally download the keys from an independent public key server. IMHO having key fingerprints in CVS and available on the web would make it much more likely that any compromise of the KEYS files will be detected before too much harm is done.
- robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
