[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: gpg signatures for release tarballs?
- From: "Joseph C. Sible" <josephcsible@...>
- Date: Fri, 28 Jan 2022 21:53:33 -0500
How would you know what the public key is? If you were to get it from
the website, then isn't trusting that equivalent to trusting the
One thing I do think would be a good idea, though, is to publish a
non-broken hash (e.g., sha256) instead of just md5 and sha1, both of
which are broken.
Joseph C. Sible
On Fri, Jan 28, 2022 at 9:34 PM Anonymous <firstname.lastname@example.org> wrote:
> You only publish release checksums. The resulting scheme is weak: I need
> to trust HTTPS which is security theatre given how vulnerable CAs are.
> Please consider publishing cryptographic signatures of some kind