* Matthew Toseland <toad at amphibian.dyndns.org> [2008-12-16 00:28:54]:
> > > > > > I'm not arguing we should invest $ into getting a signed > certificate. I > > > > > > am sure we have professional developers here who do have a valid, > > > > > > trusted certificate. > > > > > > > > > > Whom we can trust? Such as? > > > > > > > > I don't think it's a matter of trust here; well, I don't know; I do have > > > > one for instance and I'm sure we could find others if we asked. > > > > > > > > Would anyone reading this mailing list volunteer to build and sign one > > > > of our installers? > > > > > > IMHO it is a matter of trust as much as anything. > > > > It shouldn't be up to us trusting someone: it's the user's > > responsibility to trust or not the guy who packaged the installer he is > > going to use. That's why we introduce a 3rd party here! > > > > In case of debian you trust the packager for being honest; he doesn't > > even have to be endorsed by upstream. > > No. We provide binaries so WE decide who to trust. Hmm, Zero3's main point for providing an offline installer is that it can be redistributed... by 3rd parties we have no control over. Unless we pay for a "real" certificate, issued to FPI I don't see how the scheme can hold :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20081216/3774ac87/attachment.pgp>