bzip2 already includes a CRC-32 checksum that should suffice for
non-security purposes.
* Kyle Marek-Spartz
It is also useful for non-security reasons, e.g. data corruption due to a poor network connection or bad file system.
-- Kyle Marek-Spartz
On February 15, 2014 at 9:41:55 AM, Roman Cheplyaka (roma@ro-che.info) wrote:
* Peter Simons [2014-02-15 16:10:55+0100]
Hi Roman,
I suppose that SHA hashes are meaningless unless they are PGP-signed by, say, Austin?
well, there are shades of gray. Technically speaking, even PGP-signatures are meaningless unless you've personally verified the fingerprint of the PGP-key that signed the release with the owner of the key. If you didn't do that, you cannot trust the key, and hence its signature doesn't mean anything.
Obviously. But PGP has at least some value (it's useful for those who trust the key), while just an SHA sum... I don't know.
Also, a PGP signature is itself a signed hash, so there's hardly any "security" reason to prefer plain SHA to PGP.
In practice, however, a valid PGP-signature *does* add some security. It's not 100% secure, but it's certainly better than no signature at all.
The same applies to publishing hashes. A published hash is no guarantee that the binary is authentic, but having one is certainly better than *not* having one. Right?
In that case, SHA256 of https://www.haskell.org/ghc/dist/7.6.3/ghc-7.6.3-i386-unknown-linux.tar.bz2 is eb9bd2ca86c72c7f2ba9f2301e2ae04c44aa4828cf1180548619aa4c040a7ff0. HTH.
Roman - signature.asc, 836 bytes _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe