Author: Jeffrey C. Ollie Date: To: exim-users Subject: Re: [Exim] OpenPGP signatures on Exim releases
On Wed, 2002-10-09 at 12:20, Phil Chambers wrote: >
> This does seem to be going over the top rather. If the MD5 hash can be displayed on
> both the ftp site and the web site then I think there would be very little prospect
> of that value being compromised. Someone would have to compromise both the ftp site
> and the web site and if someone periodically checked both it would be apparent it
> that had happened. We are not talking about national security here!
I don't think that PGP signing software distributions is "over the top",
not anymore anyway. Just witness the recent OpenSSH debacle. Really,
once Philip gets set up and comfortable using gpg (or whatever) it will
only take a few minutes each time he creates a release, plus a little
time here and there maintaining his keys.
Of course, right now I'd rather see him finish the new edition of the
book, but hopefully after that he'll find some time to sit down and play
with PGP signing future releases.