>>> Educated, adult developers with good internet connections may know that, >>> but all users? What about software on a CD or a memory stick? >> >> Also, I believe users *still* get a confirmation window, just the >> message changes from "we don't know who wrote this software" to >> "we know PSF wrote it - do you trust them?" > > Ugh. Still better than a warning.
It's still a warning. >> That's a very common pitfall, and untrue. People are talked into >> believing that signed software is "more trustworthy" than unsigned >> software. This is absolutely not the case. The signed software may >> just as well contain malware. The only difference is that you can >> go after the author - provided you can get hold of him, and provided >> you can prove (in court) that it was actual that software that >> caused the damage. Depending on the malware, you may not even know >> that damage was made, e.g. if it was signed spyware. > > Yes, I am aware of that. But the signature makes a man-in-the-middle > attack harder. Sure. However, I think that this protection against an unlikely scenario cannot outweigh the main problem of code signing: that people get a false sense of security. And trust (sic) me: they do. Regards, Martin _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig