>> But I think signing is a good thing - not from the security point
>> of view, but of making font designers (or rather, font modifiers)
>> less callous about doing ad hoc modification of fonts. I think
>> requiring signing - or even just *showing* the DSIG status - of
>> fonts would improve the general quality of them.
>
> There's water under that bridge already. Neither WOFF nor WOFF2
> maintain the exact byte sequence in a font.
And integrity checks at installation time can be easily done with an
external MD5 or sha256 checksum, which is far easier to handle.
Werner
_______________________________________________
Freetype-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/freetype-devel
