John Andersen wrote: > Unless the checksum's are signed, getting the pgp key will do you no good. >
Creating a checksum, then signing it, is an unnecessary extra step. GPG can generate a signature for a file all by itself. It's pretty common for sites to include signature files for downloads that are security-related. Many package managers automatically check signatures on files they download, making the whole thing automatic and painless. > If you suppose that the web site can be easily compromised, why not order > a CDrom? > That's an option, too. But why ship physical media around when you can download bits? :) > As is usual for this board, the entire topic has now spiraled out of > control into a fit of paranoia, fear, and suspicion. > It's not paranoia if they're really out to get you. ;) Debian had a server compromised a year or two ago. It happens. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
