[Haskell-cafe] GHC 7.6.3 (and others) hashes
kyle.marek.spartz at gmail.com
Sat Feb 15 16:20:45 UTC 2014
It is also useful for non-security reasons, e.g. data corruption due to a poor network connection or bad file system.
On February 15, 2014 at 9:41:55 AM, Roman Cheplyaka (roma at ro-che.info) wrote:
> * Peter Simons [2014-02-15 16:10:55+0100]
> > Hi Roman,
> > > I suppose that SHA hashes are meaningless unless they are PGP-signed
> > > by, say, Austin?
> > well, there are shades of gray. Technically speaking, even
> > are meaningless unless you've personally verified the fingerprint
> of the
> > PGP-key that signed the release with the owner of the key. If
> you didn't do
> > that, you cannot trust the key, and hence its signature doesn't
> > anything.
> Obviously. But PGP has at least some value (it's useful for those
> trust the key), while just an SHA sum... I don't know.
> Also, a PGP signature is itself a signed hash, so there's hardly
> "security" reason to prefer plain SHA to PGP.
> > In practice, however, a valid PGP-signature *does* add some
> security. It's
> > not 100% secure, but it's certainly better than no signature
> at all.
> > The same applies to publishing hashes. A published hash is no
> guarantee that
> > the binary is authentic, but having one is certainly better
> than *not*
> > having one. Right?
> In that case, SHA256 of https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-i386-unknown-linux.tar.bz2
> is eb9bd2ca86c72c7f2ba9f2301e2ae04c44aa4828cf1180548619aa4c040a7ff0.
> - signature.asc, 836 bytes _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
More information about the Haskell-Cafe