Christian Biesinger wrote: > Ben Bucksch wrote: > >> I wouldn't use the net installer at all and instead use the >> tarballs/zipfiles or the full installer. > > Well, that's useless - anybody who can manipulate the files that the > installer downloads can manipulate the installer itself as well so > that it would trust the binaries.
That's why I said you need to sign them!?! > Also, if you would PGP sign the binaries, you would need to make sure > that the used key really belongs to mozilla.org/Netscape and is not > created by the one who modifies your binaries. But how can you be sure > that it does? You can't trust the internet for verification, because > the hypothetical person controls it (in your (Sven's) example). 1. The key usually lasts for a year, and subsequent keys can be verified with it. This means that I only have to get the right one *once* and not worry after that. 2. The "web of trust". The mozilla.org key can be signed by e.g. scc and Redhat. It is possible that I already trust one of them, directly or indirectly.