Philip Hazel <ph10@???> writes:
> Do you need more?
I think MD5 sums in release announcements are no longer sufficient.
Someone might distribute a forged announcement and put a trojaned
version on the FTP servers.
> If so, it will take time for me to obtain, install, learn about, and
> use cryptographic signing software.
Installing GnuPG on a GNU/Linux or recent Solaris system (Solaris 8
with /dev/random patch and Solaris 9 are fine) is straightforward.
But you might want to wait for the 1.2.1 version which corrects a few
bugs.
Anyway, I can post list of steps required to sign Exim releases using
OpenPGP. Interested?
> Not to mention organizing the appropriate keys.
You don't have to obtain a certification from some well-known CA. It
would be sufficient if Ian Jackson signed your key (I think he's still
at Cambridge). ;-)
--
Florian Weimer Weimer@???
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
