On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz <[EMAIL PROTECTED]> wrote: > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> How about we include the signatures in the source distros? That way >> if you trust your source, then you can trust the dependencies it >> downloads. > > Eww. That'd be a giant gaping security hole.
not necessarily, depends how it's done signing works through trusting the people who own the keys. given sufficient signaturees (to prevent small conspiracies), where the signatures are downloaded from shouldn't matter. - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
