It would be nice to have a verifiable PGP signature and
MD5 hash for this package. Preferably the PGP key id
and has would be published elsewhere (other than at the
same distribution site as the tarball), perhaps on a
mailing list? This would also allign with the recent
news item declaring:
"The main efforts from 1.0.0 will be on speedups and
security auditing."
Verifiable signatures would in my view be a good first
step in auditing the source package. :-)
John
Logged In: YES
user_id=1466
0.9.5 onwards will be digitally signed. Because MD5 is not
a trustable algorithm (but is widely used), I'll include
the MD5 and SHA1 hashes for the package.
Logged In: YES
user_id=1312539
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).