[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
I figure that an attacker can convince most downloaders who might
verify a PGP signature that the project no longer signs releases,
making the project's use of PGP signatures moot. While it can be
argued that there might be some downloaders who want to establish
rigid signature verification procedures and follow them, I simply
haven't heard anyone claim to be such a downloader. And even if there
where a few that might now claim this, I think the amount of work
involved (both initially and on a per release basis) is worth the time
spent.
I would argue time is better spent on improvements that are benefit
most downloaders, such as a more comprehensive web/ftp change
detection/notice system.
-- Kurt