[arch-devops] Arch Linux ISO Checksums on archlinux.org
johannes at kyriasis.com
Wed Feb 24 02:35:19 UTC 2016
On 23/02, Christian Rebischke wrote:
>On Mon, Feb 22, 2016 at 04:55:17PM +0100, Levente Polyak wrote:
>> On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke at archlinux.org> wrote:
>> >Maybe we should also sign the ISO with a GPG-Key.
>> >I don't mean that we should remove the MD5 checksum but we should add
>> >other checksum and sign the ISO.
>> The ISO is actually signed, above the mentioned checksums  you can find the signature file .
>>  https://www.archlinux.org/download/
>>  https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
>Sorry guys, there I was too fast and inattentive.
>But, however, what do you think about adding a stronger checksum to it?
>I know that a GPG-signatures + MD5 or SHA1 would be enough but I know enough
>people who just check the checksum and don't care about signatures.
The checksums aren't for security, and anyone who replaced the tarball
could most likely change the checksum as well.
PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1768 bytes
Desc: not available
More information about the arch-devops