[Haskell-cafe] GHC 7.6.3 (and others) hashes
Peter Simons
simons at cryp.to
Sat Feb 15 15:10:55 UTC 2014
Hi Roman,
> I suppose that SHA hashes are meaningless unless they are PGP-signed
> by, say, Austin?
well, there are shades of gray. Technically speaking, even PGP-signatures
are meaningless unless you've personally verified the fingerprint of the
PGP-key that signed the release with the owner of the key. If you didn't do
that, you cannot trust the key, and hence its signature doesn't mean
anything.
In practice, however, a valid PGP-signature *does* add some security. It's
not 100% secure, but it's certainly better than no signature at all.
The same applies to publishing hashes. A published hash is no guarantee that
the binary is authentic, but having one is certainly better than *not*
having one. Right?
Take care,
Peter
More information about the Haskell-Cafe
mailing list