15 Jun
2004
15 Jun
'04
5:44 p.m.
On Tue, Jun 15, 2004 at 05:14:46PM +0100, Paul Millar wrote:
With network security, any activity implies at least some trust. The script wasn't brilliant, but pushing the functionality into winrash doesn't really solve the problem: we'd still need to verify the binaries somehow, or just trust that the binaries are OK.
Yes, we need to verify them, but not before we verify the script. Otherwise, it's much easier to feed us a hacked script...
But, in the mean time, I'll continue generating the sig files (as it happens automatically) so future gpg verification-code has something to test against.
Sure, that can't hurt, maybe one day we'll use it.
--
Dimi.