Re: signed tarballs

On Apr 13, 2017 14:05, "Paul Moore" <paul(a)paul-moore.com&gt; wrote: On Thu, Apr 13, 2017 at 5:00 PM, William Roberts <bill.c.roberts(a)gmail.com&gt; wrote: Unless Steve has exclusive administrative access to people.redhat.com (I think it is safe to say he does not, but correct me if I'm wrong Steve <b>) you can't trust an unsigned checksum regardless of how strong the https cert/crypto as the web admin could still tamper with the data. Sure possible, but not super plausible. You're putting some trust in the administration of that website to begin with. -- paul moore www.paul-moore.com