> Signatures require a) somebody checks THE WHOLE SOURCE for trojans. This > will take weeks and therefore will never happen. b) that we can keep the > private key secure. This is unlikely.
Have you participated (without identifying yourself) in any large projects that currently GPG-sign their sources / binaries? All you have to do is sign them when you package them. What people want from the signature is the knowledge that the package is as the author created it and not repackaged by a third party. As for source errors or hidden trojans, that can always happen, but a signed release lets you announce a patch release, admitting the trojanning and users know that the new release is also from the usual packaging author. Keeping a private key secure is really easy in this context (use a CD/floppy). More importantly you can always create private keys with 3 or 6 month expiries so that you have to create new keys before then and sign them with the old keys so that anyone who actually compromises the key doesn't gain much. Being able to revoke GPG/PGP keys makes this almost unnecessary as well (are you actually familiar with the technology involved in how GPG/PGP work? Go read the fine manual ... www.gnupg.org). > > with IE or Mozilla for that matter. Please do some research ... > Signed JAR files go through verisign. That is not good. Signed JAR files don't go through verisign; that's one company that offers such signatures. You don't actually need to use their signatures; see www.openssl.org or www.openca.org for something more complex. There are open and free ways to create and manage signing authorities for JARs as well (again, I happen to do this stuff for a living). -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) This advice brought to you by a lot of cash I didn't charge for the advice ... http://www.fibrespeed.net/~mbabcock/ _______________________________________________ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support