Am Montag, 13. Juni 2011, 17:15:59 schrieb Dan McGee: > I did suggest [2] signing package hashes as one possible option
I just realize that this does not solve the "you don't know what you sign" argument at all. Whether you sign a file or the hash of that file is usually not a difference to the user in the statement (just in convenience). This is about "Shall you be able to 'sign' remote data", not so much about how you do that. Let alone that downloading (and even compiling) source code before signing does not guarantueee that you sign what you think you are signing. You are just protected from signing something completely different. Another point: One should not assume that somebody knows what he signs just because there is a "direct" signature. What a signature means should be taken solely from the signature policy. I would like to have the possibility to pass the hash to be signed. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
