On 13 November 2012 10:26, M.-A. Lemburg <span dir="ltr">&lt;<a href="mailto:mal@egenix.com" target="_blank">mal@egenix.com</a>&gt;</span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">I agree with Martin. If the point is to &quot;to protect against cryptography</div>
that is not used&quot;, then not using the de-facto standard in signing<br>
open source distribution files, which today is PGP/GPG, misses that<br>
point :-)<br></blockquote><div><br></div><div>I agree as well. For me, the main reason for cryptography not being used is key distribution. Sure, I have a signed file, but without a key what&#39;s the point? And if I&#39;m creating a file, why sign it if I don&#39;t know how to securely publish my key? So inventing a new signing infrastructure without a key distribution process doesn&#39;t encourage me to use crypto at all...</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It&#39;s a good idea to check integrity, but that can be done using<br>
hashes.<br></blockquote><div><br></div><div>+1 hashing is fine, and I don&#39;t have any problem with the hashing aspects of the PEP.</div><div><br></div><div>Maybe the signing aspects could be deferred to a subsequent PEP, to be thrashed out separately? I know Daniel has a strong interest in the signing aspect, so I&#39;m reluctant to suggest just dropping it, but I&#39;d rather it not be a showstopper for the rest of the current proposal. </div>
</div><br><div>Paul.</div>