On Tue, 11 Feb 2003, Bruce Momjian wrote:
>
> I hate to poo-poo this, but this "web of trust" sounds more like a "web
> of confusion". I liked the idea of mentioning the MD5 in the email
> announcement. It doesn't require much extra work, and doesn't require a
> 'web of %$*&" to be set up to check things. Yea, it isn't as secure as
> going through the motions, but if someone breaks into that FTP server
> and changes the tarball and MD5 file, we have much bigger problems than
> someone modifying the tarballs; our CVS is on that machine too.
Its so rare that it happens, but I do agree with Bruce :)
Justin, one thought ... storing the MD5s in the database for the
postgresql.org site, so that ppl can compare the two places? We'd
*really* have to be compromised for that to fail, but adding the md5s
would be easy enough ...
