Robert Collins wrote: >----- Original Message ----- >From: "Charles Wilson" <[EMAIL PROTECTED]> >To: "Robert Collins" <[EMAIL PROTECTED]> >Sent: Thursday, July 11, 2002 10:17 AM >Subject: Re: unofficial packages > > > > >>Robert Collins wrote: >> >> > > > >>>Yes, this requires documenting who maintains packges, but it doesn't >>> >>> >have to > > >>>be easily available to end users (i.e. the user interface doesn't have >>> >>> >to > > >>>expose it). >>> >>> >>Hmmm...so *setup* would have to know who maintains what, as far as >>official packages go. Now, this can't be compiled-into the executable; >>it has to be distributed from the mirrors. Are you thinking encryption? >> 'cause that's pointless -- the decryption key has to be bound into >>setup.exe; thus, available from setup's sources. >> >> > >No, I'm think it's part of the setup.bz2 file. >
IIRC, /encryption/ requires to know the _recipient's_ public key. OTOH, /signing/ the info with a known key requires only to know the _sender's_ public key. >Give every official maintainer an @cygwin.com address, and those addresses >point straight into [EMAIL PROTECTED] for maintainers that object to private >mail. > > And this would make the info in the keyring suitable for public consumption - nothing sensitive in that. The only 'gotcha' is, if I have a "[EMAIL PROTECTED]" address - as I already have one at "@users.sourceforge.net" it would probably just relay mail to my normal inbox. Anybody ill-willed who gets it can be just as much a PITA as if he knew my "real" address. -- David A. Cobb, Software Engineer, Public Access Advocate "By God's Grace I am a Christian man, by my actions a great sinner." -- The Way of a Pilgrim; R. M. French, tr. Life is too short to tolerate crappy software. .
