On 11 Oct 2012, at 00:44, Greg Stein wrote: > Please explain how "keys" are needed for this ASF release? Consumers are > already told to verify the SHA1 and nothing more. I doubt any more is > needed.
SHA1 offers no more protection than a checksum against MITM attack. > (assume secure Infrastructure) You have to extend that assumption not only to our infrastructure but to every proxy that might come between us and a user, and that might substitute a trojan along with the trojan's own SHA1. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
