[Haskell-cafe] GHC 7.6.3 (and others) hashes

Peter Simons simons at cryp.to
Sat Feb 15 15:10:55 UTC 2014

Hi Roman,

 > I suppose that SHA hashes are meaningless unless they are PGP-signed
 > by, say, Austin?

well, there are shades of gray. Technically speaking, even PGP-signatures
are meaningless unless you've personally verified the fingerprint of the
PGP-key that signed the release with the owner of the key. If you didn't do
that, you cannot trust the key, and hence its signature doesn't mean

In practice, however, a valid PGP-signature *does* add some security. It's
not 100% secure, but it's certainly better than no signature at all.

The same applies to publishing hashes. A published hash is no guarantee that
the binary is authentic, but having one is certainly better than *not*
having one. Right?

Take care,

More information about the Haskell-Cafe mailing list