[Haskell-cafe] GHC 7.6.3 (and others) hashes
roma at ro-che.info
Sat Feb 15 15:41:38 UTC 2014
* Peter Simons <simons at cryp.to> [2014-02-15 16:10:55+0100]
> Hi Roman,
> > I suppose that SHA hashes are meaningless unless they are PGP-signed
> > by, say, Austin?
> well, there are shades of gray. Technically speaking, even PGP-signatures
> are meaningless unless you've personally verified the fingerprint of the
> PGP-key that signed the release with the owner of the key. If you didn't do
> that, you cannot trust the key, and hence its signature doesn't mean
Obviously. But PGP has at least some value (it's useful for those who
trust the key), while just an SHA sum... I don't know.
Also, a PGP signature is itself a signed hash, so there's hardly any
"security" reason to prefer plain SHA to PGP.
> In practice, however, a valid PGP-signature *does* add some security. It's
> not 100% secure, but it's certainly better than no signature at all.
> The same applies to publishing hashes. A published hash is no guarantee that
> the binary is authentic, but having one is certainly better than *not*
> having one. Right?
In that case, SHA256 of https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-i386-unknown-linux.tar.bz2
is eb9bd2ca86c72c7f2ba9f2301e2ae04c44aa4828cf1180548619aa4c040a7ff0. HTH.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the Haskell-Cafe