[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5639) Digital (PGP-)signature for downloadable sources

On Aug 4, 2008, at 2:06 PM, h.b.furuseth@usit.uio.no wrote:

> Kurt@OpenLDAP.org writes:
>> I note as well that properly deploying release signing requires
>> more than script modification.  For instance, one does need to
>> consider that the host to sign the releases might itself been
>> taken over and the implications of such a takeover.
> For that part, signatures in the 'https:' site would help.

I think you need to re-think that assertion.

> Not that I'm making an issue of it, I've got OpenLDAP installations
> that I didn't verify against any signature right on this host.
> -- 
> Hallvard