Hi everybody, on http://www.gnupg.org/download/integrity_check.en.html SHA1 sums of gnupg software are published and it is said:
"To be sure that this page has not been tampered, you may want to compare the list below with the one included in the announcement mail posted to several mailing list".
Which mailing lists are meant? Can't emails be tempered, too? If I've just downloaded gnupg and if I'm not on any mailing list, what can I do? I feel it would be nice to add the following lines to the descrition on the homepage:
"The authors of gnupg keep an offline copy of the SHA1 sums of their programs and try to compare them with the SHA1 sums presented here every week. Thus, if you have been comparing your SHA 1 sum with the one on the homepage for several days and they matched every time, you can be rather sure your version of gnupg has not been tampered."
My question now is: Does such a check realy take place and if so, how often is it preformed?
Further I feel the following lines should be added to the homepage, especialy because it might be useful for windows users:
"In order to calculate the SHA1 sums you should at least use two different programs. On the internet many free programs can be found which can be used for that."
What do you think? I'm grateful for answers. Jan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
