[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5639) Digital (PGP-)signature for downloadable sources



I figure that an attacker can convince most downloaders who might  
verify a PGP signature that the project no longer signs releases,  
making the project's use of PGP signatures moot.   While it can be  
argued that there might be some downloaders who want to establish  
rigid signature verification procedures and follow them, I simply  
haven't heard anyone claim to be such a downloader.  And even if there  
where a few that might now claim this, I think the amount of work  
involved (both initially and on a per release basis) is worth the time  
spent.

I would argue time is better spent on improvements that are benefit  
most downloaders, such as a more comprehensive web/ftp change  
detection/notice system.

-- Kurt