> Well, you could certainly put the key and signify sources on the main > website. The CVS thing doesn't seem to be HTTPS-enabled.
You mean like here? http://www.openbsd.org/59.html and http://www.openbsd.org/58.html and http://www.openbsd.org/57.html and http://www.openbsd.org/56.html EVERY ONE of those pages have. See it, just a few lines down the page, on the right hand side of the page? You can find the keys in thousands of places. They are short. You cannot find a wrong key. I challenge you to find a wrong key for one of our releases somewhere, without some red flags going off immediately. Can you find a bogus version of the signify source code? Will you trust the compiler you build it with? Will you trust the operating system you compile it on? Will you trust the machine you are using? > But somehow, I get the feeling you don't want any sort of fix. You should get the feeling that we believe you are one of those demanding types that read a PGP book a few years ago and wants to tell the world it should be done that way. Or else, if we don't do what you want, then we are jerks. Sorry, I see it the other way around.