Dave Warren spake unto us the following wisdom: > That's probably worthwhile for all 6 users who will bother to check it. > > Plus the reality of it, at least from my point of view, is that > unless the GPG signature is distributed in a significantly different > fashion from the EXE itself, it can be tampered with by anyone who > has access to update the EXE itself.
That's what the web of trust is for. :-) You can build some significant confidence in the Pidgin signed releases through the web of trust, even if you cannot firsthand verify the signatures. For example, I sign most emails I send, to this and other mailing lists. If the key I use for that weren't mine, someone probably would have noticed by now. I have cross-signed keys with at least half a dozen other Pidgin developers at various face-to-face meetings. Several of those developers have likely signed other developers into the loop. You can likely find other links for pidgin devs to high-profile keys. That sort of verification isn't strong enough for many uses, but it's far stronger than a simple checksum. Ethan _______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
