-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Starling wrote:
Brion Vibber wrote:
Looks like Tim forgot to update the GPG signature files when he re-issued the release; we'll make sure they get re-done. The file checksums match, so we're good for now. :)
It takes about 10 minutes to upload all the files for a release. I didn't want to wait that long, so I generated them on zwinger instead, where I don't have a GPG key.
Maybe we could just serve the uploads via HTTPS and quit this mucking around with hashes and GPG. Hardly anyone checks them anyway.
Hashes and keys are nice for confirming that: a) the file wasn't corrupted in download or on a mirror b) the file didn't get corrupted on the master download server c) the file didn't get surreptitiously replaced by an attacker
HTTPS helps with none of these.
(A signature file *on the same server* could have been replaced with another signature file with a valid signature... but unless the signer's key was compromised it would be with a different key, likely not a trusted one.)
Note also that checksums of source packages are often checked automatically as part of package build systems, to confirm that the right file was downloaded.
- -- brion