[Haskell-cafe] GHC 7.6.3 (and others) hashes
simons at cryp.to
Sat Feb 15 15:10:55 UTC 2014
> I suppose that SHA hashes are meaningless unless they are PGP-signed
> by, say, Austin?
well, there are shades of gray. Technically speaking, even PGP-signatures
are meaningless unless you've personally verified the fingerprint of the
PGP-key that signed the release with the owner of the key. If you didn't do
that, you cannot trust the key, and hence its signature doesn't mean
In practice, however, a valid PGP-signature *does* add some security. It's
not 100% secure, but it's certainly better than no signature at all.
The same applies to publishing hashes. A published hash is no guarantee that
the binary is authentic, but having one is certainly better than *not*
having one. Right?
More information about the Haskell-Cafe