[Catalog-sig] repository security concerns
David Ascher
DavidA@ActiveState.com
Mon, 11 Mar 2002 09:49:07 -0800
Andrew Kuchling wrote:
> It seems reasonable, and could be made fairly simple by just using
> GnuPG to do the signature generation and checking. The Python code
> could then check if GnuPG is installed, displaying an innocuous "Not
> verifying signature" message if it's not, and checking the signature
> if it is.
Whatever you do, my suggestion is to make sure the process works for
Unix, Windows and Mac users. Sourceforge, for example, is a real pain
to setup for non-Unixers. Until recently, there wasn't even good key
generations software for Windows. That's apparently been fixed in
recent versions of the putty et al. software.
I don't know anything about GnuPG in that (or any other) respect =).
--david