Digital Signatures on distribution packages

[Bob Drzyzgula <ldap@drzyzgula.org>]

Has consideration been given to the use of digital
signatures on the distribution packages that are available
from the OpenLDAP ftp server? [1]  I know that there are
md5 checksums on the ftp site, but those are useful only
to verify that the download worked OK. I'm talking about
source-verifyable signatures such as are possible with GPG.
My employer is considering a policy that would prohibit
the use of open-source software downloaded without any such
source verification.  From what I can tell this would make
it difficult for us to use newer versions [2] of OpenLDAP,
since such signatures are not available.

While I certainly wouldn't expect such an effort to be made
just for a single non-contributing user, the reality of
attacks against other free software project servers would
seem to indicate that this would be a Good Idea anyway.

Thanks for any thoughts on this y'all can provide,
--Bob Drzyzgula

[1] I apologize if this has been hashed out before, or if
this is the wrong list to ask this question. I did spend
some time with webglimpse on the mailing list archives
and with other tools in my own archive extending back to
last April, and I didn't find it discussed, although I'll
admit to having signal-to-noise ratio problems what with
all the hits on digital signatures within mailing list
posts. I welcome redirection to prior discussion and/or
the proper forum.

[2] In our discussions of this matter, it appears that
source packages signed by, e.g., RedHat and distributed in
a source RPM would be acceptible, but it often takes some
time for new versions to trickle down to those channels.