On Tue, 4 Feb 2003, Kurt Roeckx wrote:
> I know how it works, it's just very unlikely I'll ever meet
> someone so it gives me a good chain.
One postgresql conference is all it takes.
> Anyway, I think pgp is good thing to do, just don't assume that
> it's always better then just md5.
I think it is. Even if you can't personally trust the signature properly,
it offers much more opportunity to discover a forgery because if you grab
the signing key when it's first published, the aquisition of the key and
the potentially forged binary are separated in time, making substitution
of both much more difficult.
Someone can easily change an MD5 signature file that's sitting right next
to a binary on an FTP server. Someone can not easily change a PGP key that's
already sitting in your keyring on your computer.
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org Don't you know, in this new Dark Age, we're
alllight. --XTC