[Catalog-sig] repository security concerns

[David Ascher]

Andrew Kuchling wrote:

> It seems reasonable, and could be made fairly simple by just using
> GnuPG to do the signature generation and checking.  The Python code
> could then check if GnuPG is installed, displaying an innocuous "Not
> verifying signature" message if it's not, and checking the signature
> if it is.

Whatever you do, my suggestion is to make sure the process works for
Unix, Windows and Mac users.  Sourceforge, for example, is a real pain
to setup for non-Unixers.  Until recently, there wasn't even good key
generations software for Windows.  That's apparently been fixed in
recent versions of the putty et al. software.

I don't know anything about GnuPG in that (or any other) respect =).

--david