_wldu on Hacker News

Ask HN: Unsigned Software Downloads

Why do some large, reputable open source projects not provide digital signatures for software downloads? I thought everyone did this now, but neither Golang or Postgres sign downloads they publish. Why not?

https://go.dev/dl/

https://www.postgresql.org/ftp/source/v15.0/

As counter examples, both the Linux kernel and rust sign downloads they publish:

https://kernel.org/

https://forge.rust-lang.org/infra/other-installation-methods.html#source-code

What is the reason that Google and Postgres have for not signing software downloads? MD5 and SHA256 checksums do not verify the authenticity of the downloaded software.

6_wldu3y ago5

The End of Programming (opens in new tab)

(mdwdotla.medium.com)

1_wldu3y ago1

Ask HN: Unsigned Software Downloads

https://go.dev/dl/

https://www.postgresql.org/ftp/source/v15.0/

As counter examples, both the Linux kernel and rust sign downloads they publish:

https://kernel.org/

https://forge.rust-lang.org/infra/other-installation-methods.html#source-code

What is the reason that Google and Postgres have for not signing software downloads? MD5 and SHA256 checksums do not verify the authenticity of the downloaded software.

6_wldu3y ago5

The End of Programming (opens in new tab)

(mdwdotla.medium.com)

1_wldu3y ago1

_wldu

Recent submissions

Phishing-Resistant MFA Does Not Mean Un-Phishable (opens in new tab)

Data is a Toxic Asset (2016) (opens in new tab)

So I lost my OpenBSD FDE password (2016) (opens in new tab)

Ask HN: Unsigned Software Downloads

The Mossad/not-Mossad security duality [pdf] (opens in new tab)

The Secretive Company Selling Mass Surveillance to Local Police (opens in new tab)

The End of Programming (opens in new tab)

What I learned working two FT remote jobs (opens in new tab)

Recent submissions

Phishing-Resistant MFA Does Not Mean Un-Phishable (opens in new tab)

Data is a Toxic Asset (2016) (opens in new tab)

So I lost my OpenBSD FDE password (2016) (opens in new tab)

Ask HN: Unsigned Software Downloads

The Mossad/not-Mossad security duality [pdf] (opens in new tab)

The Secretive Company Selling Mass Surveillance to Local Police (opens in new tab)

The End of Programming (opens in new tab)

What I learned working two FT remote jobs (opens in new tab)