Tom Holroyd <[EMAIL PROTECTED]> writes:
> What do you think? Is this a configure problem or should it be left to
> "packagers"? Can configure include tools that make such integrity
> verification easier (and automatic)? For example, "make dist" or
> whatever could always create a GPG-signed file.
I don't think this is a problem solveable in autoconf. Software is too
big to audit thoroughly before compiling and running, so I think the only
good solution is to trust the source of the software, which makes GnuPG
signatures of the source probably the best one can do currently.
configure isn't really any different than the makefiles or even the source
code in terms of what has to be trusted.
Adding support to make dist for generating signatures would be an Automake
thing, not an autoconf thing. That probably isn't a bad idea.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
