Re: PGP signing release

On Tue, 11 Feb 2003, Bruce Momjian wrote:

>
> I hate to poo-poo this, but this "web of trust" sounds more like a "web
> of confusion".  I liked the idea of mentioning the MD5 in the email
> announcement.  It doesn't require much extra work, and doesn't require a
> 'web of %$*&" to be set up to check things.  Yea, it isn't as secure as
> going through the motions, but if someone breaks into that FTP server
> and changes the tarball and MD5 file, we have much bigger problems than
> someone modifying the tarballs;  our CVS is on that machine too.

Its so rare that it happens, but I do agree with Bruce :)

Justin, one thought ... storing the MD5s in the database for the
postgresql.org site, so that ppl can compare the two places?  We'd
*really* have to be compromised for that to fail, but adding the md5s
would be easy enough ...