Ben Bucksch wrote: > I wouldn't use the net installer at all and instead use the > tarballs/zipfiles or the full installer.
Well, that's useless - anybody who can manipulate the files that the installer downloads can manipulate the installer itself as well so that it would trust the binaries. Also, if you would PGP sign the binaries, you would need to make sure that the used key really belongs to mozilla.org/Netscape and is not created by the one who modifies your binaries. But how can you be sure that it does? You can't trust the internet for verification, because the hypothetical person controls it (in your (Sven's) example). -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin