On Wed, Nov 22, 2000 at 10:02:12AM -0600, Sam TH wrote:
> On Wed, Nov 22, 2000 at 12:23:01PM +0000, Rui M Silva wrote:
> > In the upcoming release, would it be possible for someone to sign the released
>packages?
> > Please, sign it with pgp or gpg and use a key which is already recognized by a
>trusted third party.
> > I'd really appreciate it if you did that, for I can only install abiword at work
>provided it is certified.
> I presume you mean the windows versions (see recent stories on slashdot
> for lots more info on this). Unfortunately, that would mean shelling
> out large sums of money to Verisign, so unless someone decides to donate
> that money, I don't think it's going to happen.
You presume 2 things wrong:
1) that only the windows versions would need signing
2) that you need Verisign at all
ALL release packages should be signed. That's a question of reliability of the
distributed package.
pgp or gpg will do just fine. All you need is to have someone who already distributes
the key in a CD, for example RedHat, SuSE..., to sign the key which will be used to
sign the packages.
That way: a) we know abiword developers (really produced the package) and b) we know
abiword key is correct due to having a third party that confirms it.
I think that this would only bring good, and the hardest part is getting a trusted
third party.
But I see little reason for such an agreement not to happen in the near future.
For example: all rpm packages from RedHat are signed. The linux kernel is signed.
hugs, rms
--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Ghandi
+ So let's do it...?
PGP signature
