Quoting Richard Harke ([EMAIL PROTECTED]): > For some packages I have downloaded, the signers key is retrieved from > a different site. I also then check against a key server. This is not > foolproof but it does make the bad guys job harder. Another factor is > time. If I use the same sites over again, I may be able to check > against a key I got some time ago. Presumably, if it would have been > compromised, it would have been canceled and a new key generated.
Yes, these are both good rules of thumb. I don't think that best practices[1] on this subject have been written about, much. It might make a good article. [1] And I don't mean http://linuxmafia.com/~rick/lexicon.html#best-practices . ;-> _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
