On 2016-11-04 13:51, Paul.Koning@dell.com wrote:
On Nov 4, 2016, at 3:27 PM, Paul Eggert <eggert@CS.UCLA.EDU> wrote: This all sounds complicated, though. The developers of Oracle's TZUpdater tool apparently found the .asc files to be too much of a hassle, and instead use SHA-512 checksums from a central server instead. Should we slap more gingerbread atop a signature-checking procedure that already may be a bridge too far? No. If people don't know how to handle .ASC files, let them learn. That's elementary IT technology; it's not our job to work around people who haven't learned the tools of their trade.
Think you may be jumping to unjustified conclusions, based on totally incorrect assumptions. More likely Oracle is just cognizant of their customers, who each may have hundreds or thousands of heavily firewalled back end servers, whose security staff don't want to punch a hole through to the internet, or add other products of limited utility that have to be security qualified before they can be installed on servers, and whose every patched release has to be requalified. Their "updated" approach is probably their standard method for corporate customers. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada