[dev] Distributing tarballs with md5 sums or GPG signatures
Kevin Myer
kevin_myer at iu13.org
Tue Jul 26 07:44:41 PDT 2005
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Kevin Myer <kevin_myer at iu13.org>:
>
>> I noticed that the code for Horde and apps available for download is not
>> distributed with any sort of checksum or other integrity verification means.
>
> That's not true, all announcement messages contain the MD5 sums.
Sorry, I should have been more specific. There is nothing directly associated
with a download on ftp.horde.org. In other words, there is no easy to access
collection of MD5 sums anywhere. There is an archive of announcement
messages,
which I can search, but that would not generally encourage people to verify
checksums. But if I don't download using a link in an announcement, I have to
go backand search for the md5sum.
In fact, keeping the two separate is a good idea, since if I can compromise a
server, and replace tarballs, I can also compute new md5sums for the tarballs
and replace them as well. What I was getting at was having a separate but
consolidated listing of md5sums (or GPG signing releases, which negates the
need to keep them separate, unless someone can obtain your key as well).
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
More information about the dev
mailing list