From: Daniel B. <da...@te...> - 2003-06-09 19:35:22
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ this email goes to cclan-list because packaging and installation tools are the kind of thing it's about, and to Miles and Edi personally because they now have asdf-installable versions of their software packages linked fron CLiki ] If we are to automatically download and run code from freely-editable links on the internet, I think that some form of authentication of the code is required, and PGP to verify the source is a good place to start. It does open up a whole "who do you trust" can of worms, though, in that the effort you might once have spent finding sources you now have to spend getting and verifying PGP keys I've just retrieved Miles' key from the keyservers=20 pub 1024/01F53D51 2002-06-04=20=20=20=20=20=20=20=20=20=20=20=20 Fingerprint=3DE323 24E0 932E 9419 797E D8B3 5382 6AFF 01F5 3D51=20 (not the same key as is posted on the SBCL web page for him, incidentally) and it matches all the PGP-signed mail I've had from him over the past few months , so I'm thinking that probably merits a "(2) I have done casual checking" signature. (I reserve (3) for physical meeting with proof of id). I don't think that approach scales, though, and it's certainly not much good for new users Any ideas? One thought that occurs to me is that there seem to be Debian developers in many places; if we could all get keys signed by well-connected Debian developers, that might join the dots between us a bit. Still doesn't solve the new-user problem, though =2D -dan =2D --=20 http://www.cliki.net/ - Link farm for free CL-on-Unix resources=20 =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+5OF9HDK5ZnWQiRMRAho6AJ9igBpG4QcgH/ZoIxA3q1Uv6ybEyQCfaFbD Yv94I4kyDAfUVkVJefiszTY=3D =3DbE2B =2D----END PGP SIGNATURE----- |