>> Certainly. However, telling them that they have to wait just so that >> Windows finds out what they know already (that this is the MSI file >> from the Python Software Foundation, or from Martin v. Löwis) is >> even more nasty. > > Educated, adult developers with good internet connections may know that, > but all users? What about software on a CD or a memory stick?
Also, I believe users *still* get a confirmation window, just the message changes from "we don't know who wrote this software" to "we know PSF wrote it - do you trust them?" So, "all users" aren't any better off with authenticode. > I haven't looked at authenticode, but I guess it's a cryptographical > signature. Correct. > That defaults to a good thing. That's a very common pitfall, and untrue. People are talked into believing that signed software is "more trustworthy" than unsigned software. This is absolutely not the case. The signed software may just as well contain malware. The only difference is that you can go after the author - provided you can get hold of him, and provided you can prove (in court) that it was actual that software that caused the damage. Depending on the malware, you may not even know that damage was made, e.g. if it was signed spyware. So code-signing can very realistically give a false sense of security. This is *not* a good thing. > You will have the say whether Python uses authenticode, but I'm not > convinced by your arguments. I think I'll have to produce a signed version of the 2.5.1 installer, so that people can see for themselves. Regards, Martin _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
