On 6/9/2012 4:14 PM, Peter Lebbing wrote: > Where the question is going is rather simple: what would you > recommend Joe Average User to do to verify the authenticity of the > GnuPG source he downloaded, not questioning his desire to build from > that source.
Ah, I see. I apologize for not understanding sooner: I thought you were trying to illustrate a point. I'm generally not comfortable giving advice about what people should do. I'm comfortable making factual statements, presenting options, talking about my own practices or giving perspectives, but I really want to avoid the recommending-what-people-should-do route. I'm not comfortable with that, not unless I'm billing by the hour and have a liability waiver signed in blood. :) That said, I have found it useful as a general principle to avoid introducing new points of fiat validity. When possible, new sources should be certified through existing validated certificates. Considering my points of fiat validity and minimizing their number has always served me well. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users