[arch-devops] Arch Linux ISO Checksums on archlinux.org
Johannes Löthberg
johannes at kyriasis.com
Wed Feb 24 02:35:19 UTC 2016
On 23/02, Christian Rebischke wrote:
>On Mon, Feb 22, 2016 at 04:55:17PM +0100, Levente Polyak wrote:
>> On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke at archlinux.org> wrote:
>> >Maybe we should also sign the ISO with a GPG-Key.
>> >
>> >I don't mean that we should remove the MD5 checksum but we should add
>> >some
>> >other checksum and sign the ISO.
>> >
>>
>> The ISO is actually signed, above the mentioned checksums [0] you can find the signature file [1].
>>
>> Cheers,
>> Levente
>>
>> [0] https://www.archlinux.org/download/
>> [1] https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
>
>
>Sorry guys, there I was too fast and inattentive.
>But, however, what do you think about adding a stronger checksum to it?
>I know that a GPG-signatures + MD5 or SHA1 would be enough but I know enough
>people who just check the checksum and don't care about signatures.
>
The checksums aren't for security, and anyone who replaced the tarball
could most likely change the checksum as well.
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B273A9D0BB5
https://theos.kyriasis.com/~kyrias/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1768 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160224/73556ce2/attachment.asc>
More information about the arch-devops
mailing list