On 2/18/15 2:52 AM, Jonathan Schleifer wrote:
Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write a checksum to the Makefile / PKGBUILD / however it is called that is then verified. So I guess you can't easily map that to "Only x% of users check the downloaded tarball". I guess it's a lot more, it's just not all check it using the .sig.
Back when I was involved with the FreeBSD project I included code in the Makefile to verify the PGP signature for all of my ports that had one, as did a few other maintainers. However there was not only not a consensus to do this more generally, there was active opposition to doing it at all.
If you are a FreeBSD user and believe that this would be something beneficial to the ports system, please send them e-mail at freebsd-po...@freebsd.org and let them know. :)
Doug _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
