[cclan-list] asdf-install and pgp

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ this email goes to cclan-list because packaging and installation
tools are the kind of thing it's about, and to Miles and Edi
personally because they now have asdf-installable versions of their
software packages linked fron CLiki ]

If we are to automatically download and run code from freely-editable
links on the internet, I think that some form of authentication of the
code is required, and PGP to verify the source is a good place to
start.  It does open up a whole "who do you trust" can of worms,
though, in that the effort you might once have spent finding sources
you now have to spend getting and verifying PGP keys

I've just retrieved Miles' key from the keyservers=20

  pub  1024/01F53D51 2002-06-04=20=20=20=20=20=20=20=20=20=20=20=20
	   Fingerprint=3DE323 24E0 932E 9419 797E D8B3 5382 6AFF 01F5 3D51=20

(not the same key as is posted on the SBCL web page for him,
incidentally) and it matches all the PGP-signed mail I've had from him
over the past few months , so I'm thinking that probably merits a "(2)
I have done casual checking" signature.  (I reserve (3) for physical
meeting with proof of id).  I don't think that approach scales,
though, and it's certainly not much good for new users

Any ideas?  One thought that occurs to me is that there seem to be
Debian developers in many places; if we could all get keys signed by
well-connected Debian developers, that might join the dots between us
a bit.  Still doesn't solve the new-user problem, though

=2D -dan

=2D --=20

   http://www.cliki.net/ - Link farm for free CL-on-Unix resources=20
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+5OF9HDK5ZnWQiRMRAho6AJ9igBpG4QcgH/ZoIxA3q1Uv6ybEyQCfaFbD
Yv94I4kyDAfUVkVJefiszTY=3D
=3DbE2B
=2D----END PGP SIGNATURE-----