Subject: Re: sign the releases
rms@greymalkin.yi.org
Date: Wed Nov 22 2000 - 10:41:14 CST
On Wed, Nov 22, 2000 at 10:02:12AM -0600, Sam TH wrote:
> On Wed, Nov 22, 2000 at 12:23:01PM +0000, Rui M Silva wrote:
> > In the upcoming release, would it be possible for someone to sign the released packages?
> > Please, sign it with pgp or gpg and use a key which is already recognized by a trusted third party.
> > I'd really appreciate it if you did that, for I can only install abiword at work provided it is certified.
> I presume you mean the windows versions (see recent stories on slashdot
> for lots more info on this). Unfortunately, that would mean shelling
> out large sums of money to Verisign, so unless someone decides to donate
> that money, I don't think it's going to happen.
You presume 2 things wrong:
1) that only the windows versions would need signing
2) that you need Verisign at all
ALL release packages should be signed. That's a question of reliability of the distributed package.
pgp or gpg will do just fine. All you need is to have someone who already distributes the key in a CD, for example RedHat, SuSE..., to sign the key which will be used to sign the packages.
That way: a) we know abiword developers (really produced the package) and b) we know abiword key is correct due to having a third party that confirms it.
I think that this would only bring good, and the hardest part is getting a trusted third party.
But I see little reason for such an agreement not to happen in the near future.
For example: all rpm packages from RedHat are signed. The linux kernel is signed.
hugs, rms
-- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Ghandi + So let's do it...?
This archive was generated by hypermail 2b25 : Wed Nov 22 2000 - 10:41:18 CST