On Tue, Jun 15, 2004 at 05:14:46PM +0100, Paul Millar wrote: > With network security, any activity implies at least some trust. The script > wasn't brilliant, but pushing the functionality into winrash doesn't really > solve the problem: we'd still need to verify the binaries somehow, or just > trust that the binaries are OK.
Yes, we need to verify them, but not before we verify the script. Otherwise, it's much easier to feed us a hacked script... > But, in the mean time, I'll continue generating the sig files (as it happens > automatically) so future gpg verification-code has something to test against. Sure, that can't hurt, maybe one day we'll use it. -- Dimi.
