[Haskell-cafe] GHC 7.6.3 (and others) hashes

Roman Cheplyaka roma at ro-che.info
Sat Feb 15 15:41:38 UTC 2014

* Peter Simons <simons at cryp.to> [2014-02-15 16:10:55+0100]
> Hi Roman,
>  > I suppose that SHA hashes are meaningless unless they are PGP-signed
>  > by, say, Austin?
> well, there are shades of gray. Technically speaking, even PGP-signatures
> are meaningless unless you've personally verified the fingerprint of the
> PGP-key that signed the release with the owner of the key. If you didn't do
> that, you cannot trust the key, and hence its signature doesn't mean
> anything.

Obviously. But PGP has at least some value (it's useful for those who
trust the key), while just an SHA sum... I don't know.

Also, a PGP signature is itself a signed hash, so there's hardly any
"security" reason to prefer plain SHA to PGP.

> In practice, however, a valid PGP-signature *does* add some security. It's
> not 100% secure, but it's certainly better than no signature at all.
> The same applies to publishing hashes. A published hash is no guarantee that
> the binary is authentic, but having one is certainly better than *not*
> having one. Right?

In that case, SHA256 of https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-i386-unknown-linux.tar.bz2
is eb9bd2ca86c72c7f2ba9f2301e2ae04c44aa4828cf1180548619aa4c040a7ff0. HTH.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20140215/4d2c5603/attachment.sig>

More information about the Haskell-Cafe mailing list