On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
> On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
>
> > right, that is why we started to provide md5 checksums ...
>
> md5 checksums only validate that the intended package (trojaned or
> legit) has been properly received. They offer nothing from a security
> perspective unless the checksums have been signed with a key which can
> be readily validated from multiple independent sources.
If you can get the md5 sum of "multiple independent sources",
it's about the same thing. It all depends on how much you trust
those sources.
I'm not saying md5 is as secure as pgp, not at all, but you can't
trust those pgp keys to be the real one either.
Kurt
