On Dec 5, 2007, at 7:46 PM, Rui Miguel Silva Seabra wrote:
I don't see what is the problem with blessing a fingerprint of the
binaries with a PKI signature, which would mean that *these* are the
binaries the devs intended to release.
Who would sign the binaries?
Would each package maintainer sign his own packages?
Does Theo have to sign each package?
I don't see a problem in having signatures for software but I do see
problems in creating and maintaining an infrastructure for these
signatures.
And what would you gain?
What guarantees would these signatures give you?
You can verify package consistency with md5 sums.
If you are paranoid, why would you trust the devs? You would just
compile
the software yourself. But only after reading each line of code of
course.
Floor Terra
