Florent Daigni?re skrev: > * Matthew Toseland <toad at amphibian.dyndns.org> [2008-12-16 00:28:54]: > > >>>>>>> I'm not arguing we should invest $ into getting a signed >>>>>>> >> certificate. I >> >>>>>>> am sure we have professional developers here who do have a valid, >>>>>>> trusted certificate. >>>>>>> >>>>>> Whom we can trust? Such as? >>>>>> >>>>> I don't think it's a matter of trust here; well, I don't know; I do have >>>>> one for instance and I'm sure we could find others if we asked. >>>>> >>>>> Would anyone reading this mailing list volunteer to build and sign one >>>>> of our installers? >>>>> >>>> IMHO it is a matter of trust as much as anything. >>>> >>> It shouldn't be up to us trusting someone: it's the user's >>> responsibility to trust or not the guy who packaged the installer he is >>> going to use. That's why we introduce a 3rd party here! >>> >>> In case of debian you trust the packager for being honest; he doesn't >>> even have to be endorsed by upstream. >>> >> No. We provide binaries so WE decide who to trust. >> > > Hmm, Zero3's main point for providing an offline installer is that it > can be redistributed... by 3rd parties we have no control over. > > Unless we pay for a "real" certificate, issued to FPI I don't see how > the scheme can hold :) >
No, it isn't. My main point is providing an installer that works independent of the website (arguments listed earlier). - Zero3
