[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CGI scripts on www.octave.org broken
|
From: |
Przemek Klosowski |
|
Subject: |
Re: CGI scripts on www.octave.org broken |
|
Date: |
Thu, 1 Apr 2004 09:18:20 -0500 (EST) |
> On Mar 31 Dmitri A. Sergatskov (address@hidden) wrote:
>
>>Perhaps the easiest thing would be providing MD5 signatures of the
uploaded files
>>when you announce a new release...
Steve Lipa wrote:
> This is nice, but it only provides an indication that the file transfer
> worked properly, which is probably addressed by FTP or whatever protocol
For what it is worth, RPM format (RedHat package installation format,
adopted by other Linux distros as well) uses both, and I think it is a
good idea. The problem with digital signatures is that it requires
infrastructure on both ends---note that even though RPM clients provide
the functionality, you still have to retrieve the public keys, and most
people don't bother.
MD5SUM, when it is computed by John on his personal system right after
generating the binaries, and distributed in a way that does not allow
for surreptitious modification, are as secure as digital signature.
In other words, digital signature's main advantage is that only John
can generate it---but if you get a MD5SUM from John's announcement to the
mailing list, you basically have the same assurance of origin.
- Re: CGI scripts on www.octave.org broken,
Przemek Klosowski <=