On Mon, Dec 14, 2009 at 7:23 PM, Josh Berkus <josh@postgresql.org> wrote:
> WWW team,
>
> Does Otto have a point?
Yes. From a security perspective, the md5's are useless when
distributed alongside the binaries. That's why I GPG sign my releases
of pgAdmin and the MSI installer - noone else can recreate those
signatures.
There is potentially some benefit to having them there to allow the
user to verify they have a good download though, for example, in the
event of an error untarring.
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
