I don't know. I don't personally vouch for every last bit of code... Many others contribute to the code.. We cannot establish very much trust in it anyhow, something might have gone into CVS without a CVS mail being generated, the CVS-mail generated might not have been noticed yet, or the change may have been so big that a cvs-mail generated was truncated, or we might have a trojan developer, or my machine might be compromized, or dodo might be - I could only sign a jar file I generated myself, and normally dodo generates the jar. Yes, we could have dodo sign the files automatically, but what if dodo is compromized? Probably a good idea to have some signatures, but I'm not sure what level of trust we could possibly hope to establish...
Agreed, I would rather not have any signatures at all than have meaningless signatures which give a false sense of security.
Coming up with a robust way to make signatures mean something is a pretty large project in itself (probably involving the reimplementation of CVS among other things).
Ian. _______________________________________________ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support
