On Wed, Jul 20, 2011 at 10:58:32AM +0100, Kai Hendry wrote: > On 20 July 2011 10:54, Nick <suckless-...@njw.me.uk> wrote: > > wget http://dl.suckless.org/tools/dmenu-4.4.tar.gz.sig > > gpg --verify dmenu-0.4.tar.gz.sig > > is not that tricky. > > You've skipped over the part of how you exchange the public key, no?
That is true, yes, good point. But just downloading the key from a keyserver, even if it isn't trusted by your web of trust, is better than e.g. just distributing a hash, and as mentioned trusting CAs (HTTPS) is pretty problematic. > If it's not that tricky why doesn't Arch for example build it in to their > tools? I know very little of Arch's processes, so I can't say. > And btw gpg sucks big time. :) Alas yes, but it does work well.
