-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim Starling wrote:
Brion Vibber wrote:
Looks like Tim forgot to update the GPG signature
files when he
re-issued the release; we'll make sure they get re-done. The file
checksums match, so we're good for now. :)
It takes about 10 minutes to upload all the files for a release. I didn't
want to wait that long, so I generated them on zwinger instead, where I
don't have a GPG key.
Maybe we could just serve the uploads via HTTPS and quit this mucking
around with hashes and GPG. Hardly anyone checks them anyway.
Hashes and keys are nice for confirming that:
a) the file wasn't corrupted in download or on a mirror
b) the file didn't get corrupted on the master download server
c) the file didn't get surreptitiously replaced by an attacker
HTTPS helps with none of these.
(A signature file *on the same server* could have been replaced with
another signature file with a valid signature... but unless the signer's
key was compromised it would be with a different key, likely not a
trusted one.)
Note also that checksums of source packages are often checked
automatically as part of package build systems, to confirm that the
right file was downloaded.
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjquPEACgkQwRnhpk1wk44tFACfWtbluFsmvUMO9RQK/GeD9xNj
vwMAoJAQX9q+q0VeHfjYr1DG/Xs8naOM
=GVRX
-----END PGP SIGNATURE-----