Re: PGP signing releases - Mailing list pgsql-hackers

From greg@turnstep.com
Subject Re: PGP signing releases
Date
Msg-id f02a45ae9d09aa10b283f0dd61bfae9a@biglumber.com
Whole thread Raw
In response to Re: PGP signing releases  (Peter Eisentraut <peter_e@gmx.net>)
Responses Re: PGP signing releases
List pgsql-hackers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> So you put the MD5 sum into the release announcement email.  That is
> downloaded by many people and also archived in many distributed places
> that we don't control, so it would be very hard to tamper with.  
> ISTM that this gives you the same result as a PGP signature but with 
> much less administrative overhead.

Not the same results. For one thing, the mailing announcement may be 
archived on google, but asking people to search google for an MD5 sum 
as they download the tarball is hardly feasible. Second, it still does 
not prevent someone from breaking into the server and replacing the 
tarball with their own version, and their own MD5 checksum. Or maybe 
just one of the mirrors. Users are not going to know to compare that 
MD5 with versions on the web somewhere. Third, is does not allow a 
positive history to be built up due to signing many releases over time. 
With PGP, someone can be assured that the 9.1 tarball they just 
downloaded was signed by the same key that signed the 7.3 tarball 
they've been using for 2 years. Fourth, only with PGP can you trace 
your key to the one that signed the tarball, an additional level of 
security. MD5 provides an integrity check only. Any security it 
affords (such as storing the MD5 sum elsewhere) is trivial and 
should not be considered when using PGP is standard, easy to implement,
and has none of MD5s weaknesses.

- --
Greg Sabino Mullane  greg@turnstep.com
PGP Key: 0x14964AC8 200302102250
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE+SA4AvJuQZxSWSsgRAhenAKDu0vlUBC5Eodyt2OxTG6el++BJZACguR2i
GGLAzhtA7Tt9w4RUYXY4g2U=
=3ryu
-----END PGP SIGNATURE-----





pgsql-hackers by date:

Previous
From: "Christopher Kings-Lynne"
Date:
Subject: log_duration
Next
From: Tom Lane
Date:
Subject: Re: log_duration