Herewith my 2c:
- run static code analyzer against GPG source code (e.g. llvm's
scan-build). Verify GPG source code against keys provided after
downloading. (Of course is manual inspection also a possibility, but at
least for our team scan-build catches more errors than the humans
involved).
I guess I should've said what my use case is:
I want a boot system that unlocks a partition where everything is
checked to prevent an evil maid attack. I can sign / check everything
but the key and the integrity checker. However, someone could replace
gpg with a version that logs to something. I
On Wed, May 29, 2013 at 11:02 AM, shawn wilson ag4ve...@gmail.com wrote:
I guess I should've said what my use case is:
I want a boot system that unlocks a partition where everything is
checked to prevent an evil maid attack. I can sign / check everything
but the key and the integrity checker.
