Yes, I am building an updater. If phobos finishes the manual on how to get it to compile under mingw, I will compile, sign, and release them myself.
And yes, I am verifying the sigs I use in the release. Regards, Arrakistor Monday, September 11, 2006, 6:27:38 PM, you wrote: > Arrakistor wrote: >> Nick, >> >> Yes but the sig is only as good as the person you trust. That is why I >> haven't released Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a >> trusted binary. I don't think they yet have a pgp plugin for NSIS >> language yet. I'll see what else can be done for verifying sigs. > You're not going to get a better way to validate trust than a pgp > signature. If you don't trust the tor signing release keys, you > shouldn't trust the code they're signing. > Some random .onion address given over a mailing list isn't a secure way > to verify anything. Someone can compromise the server on the other end > of the .onion address. > It sounds like you're building an automatic updater for your system. > I suspect that you should be very careful as you're introducing a method > for automatically downloading binaries and potentially running untrusted > code. > You need to verify the pgp signature of builds just as you would source > code before building. > At the cost of repeating what Nick said, you're verifying pgp signatures > already already, right? > Something, > Jacob Appelbaum
