Martin Cooper wrote:
On Tue, Apr 8, 2008 at 6:57 PM, Jeromy Evans <
[EMAIL PROTECTED]> wrote:
Understood. Can I sign and distribute Don's binaries[1] or *must* they be
signed by the person that built them?
I've lost track of why Don can't sign them himself, but I would consider it
OK for you to do that if you use the following process:
1) Have Don e-mail you the binaries or otherwise get them to you in a way
that they could not be intercepted. (I don't consider you picking them up
from the URL below to be acceptable because there is a chance, however slim,
that those binaries could have been compromised. And yes, I realise that
e-mail can in fact be intercepted as well, but if you guys coordinate
time-wise, I think that is an acceptable risk.)
2) You sign them, and mail the .asc files back to Don.
3) Don verifies that the .asc files you sent him validate successfully
against the binaries that he has.
At this point, you (Jeromy) have the appropriate signatures for what Don
originally built, as well as the binaries, and can take it from there.
Thanks Martin, That doesn't take Don out of the loop so it won't
alleviate the issue that he's been too busy to sign and distribute the
binaries.
If he's able to validate the .asc against the original binaries he's
able to generate them. It's less effort and risk to wait until Don has
time to complete the task.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
