[Owncloud] ownCloud 6 beta2
Andreas Schneider
asn at cryptomilk.org
Tue Nov 5 16:01:26 UTC 2013
On Tuesday 05 November 2013 08:12:37 Frank Karlitschek wrote:
> On 05.11.2013, at 06:17, Andreas Schneider <asn at cryptomilk.org> wrote:
> > On Tuesday 05 November 2013 10:03:23 Timothée Ravier wrote:
> >> On Wed, Oct 30, 2013 at 12:48 PM, Frank Karlitschek
> >
> > <frank at owncloud.org>wrote:
> >>> We also sign the downloads and releases from now on with an GPG key.
> >>> The official ownCloud GPG key is attached to this email and will be
> >>> linked
> >>> on the website.
> >>>
> >>> http://download.owncloud.org/community/testing/owncloud-6.0.0beta2.tar.b
> >>> z2
> >>>
> >>> http://download.owncloud.org/community/testing/owncloud-6.0.0beta2.tar.b
> >>> z2
> >>> .asc
> >
> > Frank,
> >
> > you need to sign the tar file not the zipped tar file ;)
>
> Perhaps I'm missing something but:
> Why?
It is much easier to find/produce collisions with compressed files.
See e.g.
http://cryptography.hyperlink.cz/2004/otherformats.html
This is the reason why the the projects do a checksum on the tar file and not
on the compressed file, see:
https://www.kernel.org/signature.html
https://www.samba.org/samba/download/
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
www.cryptomilk.org asn at cryptomilk.org
More information about the Owncloud
mailing list