Ben Bucksch wrote:
> I wouldn't use the net installer at all and instead use the
> tarballs/zipfiles or the full installer.
Well, that's useless - anybody who can manipulate the files that the
installer downloads can manipulate the installer itself as well so that
it would trust the binaries.
Also, if you would PGP sign the binaries, you would need to make sure
that the used key really belongs to mozilla.org/Netscape and is not
created by the one who modifies your binaries. But how can you be sure
that it does? You can't trust the internet for verification, because the
hypothetical person controls it (in your (Sven's) example).
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin
