Hi, On Thu, 12.02.2009 at 21:25:34 +0000, Christian Weisgerber <[email protected]> wrote: > Should be trivial, but that's not my decision. And really, what's > the point? Unless the MD5 file has a different distribution path, > it offers no security benefit. It's handy to check for inadvertent > transfer corruption, that's all.
yes, but this one could be easily fixed, imho (sort of, that is). It would require someone signing a file with such hashes with - preferably - a well connected OpenPGP key. Any one of the OpenBSD developers should be able to create and/or use such a key of suitable size (4096 bits, imho) with ease. Only that some keys need to be published and widely advertized as being used for that purpose. Please see eg. "debian-keyring" or "debian-archive-keyring" for inspiration. Kind regards, --Toni++
