Via webmaster, please check the "Original Message" that follows.
Have fun, Paulo Gaspar > -----Original Message----- > From: Erik Agsjo [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 24, 2002 9:59 AM > To: [EMAIL PROTECTED] > Subject: PGP-keys > > > Hi. > > <paranoia> > > I just downloaded the tomcat 4.0.3 binaries for linux (mod_jk-01.so and > mod_webapp.so) and decided to verify the signatures provided. They > checked out fine, after I added the keys from the "KEYS" file to > my keyring. > > I would be nice if these keys were available from a keyserver, I failed > to find them anywhere. Also, if the keys were signed by someone else > than the keyowner, the point of signing the binaries would be much > improved. I mean, if someone has access to the distribution directory > and replaces the binaries with copies containing evil trojans, it would > be simple for that individual to replace the KEYS file and signatures as > well. > > What is worse it that that the signature for the tgz > (jakarta-tomcat-4.0.3.tar.gz) is bad. At least, that is what gpg (GnuPG) > 1.0.6 says. > > </paranoia> > > Thanks for you time, > Erik Agsjo > Noptec > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>