On Mon, Dec 14, 2009 at 8:00 PM, Alvaro Herrera
<alvherre@commandprompt.com> wrote:
>> Ideally, we should serve up the MD5s from an SSL enabled webserver.
>> Something to think about for the future.
>
> Shouldn't we distribute the MD5 signatures along the release message,
> which should itself be signed with some appropriate GPG key?
That sounds right to me. Even if it's not signed I can go check the
various mail archives to verify that other people saw the same
signatures and nobody else complained about a spoofed file.
--
greg