[Distutils] PGP keys required? (Re: PEP 243)
Moore, Paul
Paul.Moore at atosorigin.com
Tue Feb 3 04:45:07 EST 2004
From: Keith Jackson [mailto:krjackson at lbl.gov]
> A single S/MIME email from you or Jack would totally suffice for me
for
> the short term. That way I could look in the archive, verify the sig,
> and know that the hashes are valid. (Assuming you and Jack aren't
> really black hats. :)
Ironically, that message just came through with an "invalid digital
signature" warning. I've no idea what Outlook (yes, I know, so sue me)
considers in making this judgement, but I no longer trust anything you
say, in case you are not who you say you are :-)
On a more serious note, this demonstrates why I don't trust digital
signatures much. Unless this really *was* someone else masquerading as
Keith, what do I do? I've never seen a genuinely hacked download, to my
knowledge, but I *have* seen warnings and errors from invalid
signatures.
So ignoring signature errors is the correct approach, based on the
evidence I have encountered!
I'm not trying to argue the case, just to demonstrate how the world
looks
from the POV of security-naive people like me...
Paul.
More information about the Distutils-SIG
mailing list