We don't have a good way of distributing and managing the gpg keys, there is no script control over that part of winrash. If there was an automated and secure way of keeping the trusted signatures up to date I wouldn't mind turning it back on. It just has to be something that can be maintained without manual intervention with gpg. I'm also not really sure how the whole gpg signature thing works. Right now we bundle a config file for gpg that trusts your signature. Can we have that managed by the service so it happens automatically or does that implicitly violate the trust as we are getting the signature from the service initially?
Chris
On Friday 11 June 2004 9:49 am, Paul Millar wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Dimi,
Why remove the verification of the code's gpg signature? It seems to break a basic security maxim: don't trust the network.
On Thursday 10 June 2004 22:48, Dimitrie O. Paun wrote:
ChangeLog Do not include irrelevant stuff in the _history. Do not instruct the client to verify the .sig, it's a b0rken idea anyway.
Paul Millar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAybhq/9JwS78PA+kRAuv/AJ9Ulntb1MLGn+2gp8r/qpy6VqJDVACePwVB VXxAHr9gaBuMhIJ7P81ahMA= =0tkh -----END PGP SIGNATURE-----