Re: PGP signing release

From: "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Greg Copeland <greg(at)CopelandConsulting(dot)Net>, Curt Sampson <cjs(at)cynic(dot)net>, PostgresSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PGP signing release
Date: 2003-02-12 04:55:28
Message-ID: 20030212005308.J43952@hub.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, 11 Feb 2003, Bruce Momjian wrote:

>
> I hate to poo-poo this, but this "web of trust" sounds more like a "web
> of confusion". I liked the idea of mentioning the MD5 in the email
> announcement. It doesn't require much extra work, and doesn't require a
> 'web of %$*&" to be set up to check things. Yea, it isn't as secure as
> going through the motions, but if someone breaks into that FTP server
> and changes the tarball and MD5 file, we have much bigger problems than
> someone modifying the tarballs; our CVS is on that machine too.

Its so rare that it happens, but I do agree with Bruce :)

Justin, one thought ... storing the MD5s in the database for the
postgresql.org site, so that ppl can compare the two places? We'd
*really* have to be compromised for that to fail, but adding the md5s
would be easy enough ...

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Dann Corbit 2003-02-12 04:58:50 Re: [HACKERS] PostgreSQL Tuning Results
Previous Message Christopher Kings-Lynne 2003-02-12 04:53:49 PostgreSQL Tuning Results