On Tue, 8 Sep 2009 12:01:09 +1000 Morgan Storey <[email protected]> wrote:
> Hi Celejar, > > You can get him to PGP/GPG sign the package, then just verify it with > his public key, or simply mdsum and sha1sum the package. There are MD5 > collisions so someone could make a package of the same size with the > same md5 hash that contains different malicious code but for your > needs it should be enough. > Obviously the safest out of all of these is the PGP/GPG but the MD5 > and sha1 are easier to implement. In this case below I don't know the > procedures but the developer will probably have a GPG key that he can > sign the package with, then just get his public key of a key server > and verify. Thanks. I know that there are ways to do this, but I was wondering if the developer needs to be asked in each case, or if there's some sort of standard procedure that is followed. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
