From: Mark W. <ma...@wo...> - 2002-04-29 07:21:54
|
Hi, > To me the key difference is that a MD5 hash has no ownership associated with > it. So if I were an evil cracker and I had access to a distribution site > then I could easily alter the package and regenerate the MD5 key. Unless > someone is validating the MD5 on the mirror site is the same as the primary > site, it will all match and the install would happen. > > However in the GPG case I couldn't alter the package and still have a valid > GPG signature of the 'build-meister'. > > Its still a little 'swings and roundabouts' but GPG at least would tie you > to a identity, and a little more security. Its not necessarily something > that joe public would religiously do. But for the more paranoid its a little > more comforting :-) But in the end, it's just as easy to fake a GPG key as it is to fake an MD5. Unless you personally hand over the key, it's worth just as much as MD5. The only difference would be that the GPG key is the same for all downloads and the MD5 has to be checked every time. Kind regards, Mark |