Jeroen van Meeuwen wrote:
The goal is, of course, to verify the .iso against what is listed as
it's sha256sum. Whether the tools ultimately come from the same
source doesn't matter. It should, though, be advisable to not
include the sha246sum.exe on the mirrors, and only serve the file
over http over ssl.
Indeed, that's the plan. It would be served up via SSL, just as the
GPG keys and *-CHECKSUM files are currently. That way, if someone
comes to
https://fedoraproject.org/verify, they at least have our SSL
certificate as a starting point for trust.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chemistry is applied theology.
-- Augustus Owsley Stanley