Are SHA1 sums on gnupg.org checked regularly?
takethebus at gmx.de
takethebus at gmx.de
Thu Jul 25 21:33:09 CEST 2013
Hi everybody,
on http://www.gnupg.org/download/integrity_check.en.html
SHA1 sums of gnupg software are published and it is said:
"To be sure that this page has not been tampered, you may want to
compare the list below with the one included in the announcement mail
posted to several mailing list".
Which mailing lists are meant? Can't emails be tempered, too? If I've
just downloaded gnupg and if I'm not on any mailing list, what can I do?
I feel it would be nice to add the following lines to the descrition on
the homepage:
"The authors of gnupg keep an offline copy of the SHA1 sums of their
programs and try to compare them with the SHA1 sums presented here every
week. Thus, if you have been comparing your SHA 1 sum with the one on
the homepage for several days and they matched every time, you can be
rather sure your version of gnupg has not been tampered."
My question now is: Does such a check realy take place and if so, how
often is it preformed?
Further I feel the following lines should be added to the homepage,
especialy because it might be useful for windows users:
"In order to calculate the SHA1 sums you should at least use two
different programs. On the internet many free programs can be found
which can be used for that."
What do you think? I'm grateful for answers.
Jan
More information about the Gnupg-users
mailing list