[Haskell-cafe] GHC 7.6.3 (and others) hashes
Alexander Solla
alex.solla at gmail.com
Sun Feb 16 06:19:57 UTC 2014
On Sat, Feb 15, 2014 at 7:04 AM, Roman Cheplyaka <roma at ro-che.info> wrote:
> * Peter Simons <simons at cryp.to> [2014-02-15 15:54:57+0100]
> > Hi Alexander,
> >
> > > Is there any where I can find SHA hashes for the official GHC builds?
> >
> > I don't think the GHC folks publish such hashes anywhere. You might want
> to
> > create a Trac ticket to that extend, because they really should, IMHO.
> >
> > At the time being, there is no way for you to authenticate those
> binaries.
>
> This is one thing I never really understood. Can someone explain it
> to me? I suppose that SHA hashes are meaningless unless they are
> PGP-signed by, say, Austin? So what's the advantage over distributing a
> PGP signature for the tarball itself?
For my part, my question was mostly motivated by the tools I'm using, which
use SHA hashes. You are right that signing would provide more security,
but the tools I'm evaluating use hashes. And I can foresee circumstances
in which they provide protection against attack. For example, some large
projects mirror the keys. An unannounced change of the hash would get
noticed. This is especially true if I keep a copy of the hash. Making
hashes is pretty cheap. So is signing. I am not against signing as well,
by any means.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20140215/1a057abe/attachment.html>
More information about the Haskell-Cafe
mailing list