Donald Stufft email@example.com wrote:
I said ?meaningful?. Almost nobody is going to ever bother googling it and the likelihood that someone is able to MITM you specifically is far lesser than the likelihood that someone is going to MITM one of the cdecimal users.
I'm doing this for important installs. -- That is how I installed qmail and djbdns.
Additionally your messages aren?t signed and email isn?t an authenticated profile so if someone was able to get your password they could simply spoof and email from you to the mailing list with new hashes, or edit out the description telling people to go google some stuff.
Signing messages is pointless if the key isn't well connected. Also, I'm reading the lists and would notice a "release". Most importantly, the checksum mismatch would still be found, since the old messages with the correct sum would still exist under the scenario we're talking about (i.e. not GHCQ hacking into Belgacom routers).