Johan Wevers johanw at vulcan.xs4all.nl Fri Sep 16 20:28:52 CEST 2011 wrote:
>Why not also host a copy of the existing binary? Because then who is to say that it wasn't tampered with? The whole point is to start with gnupg.org signed and verified material, and then let the user take it from there. Although, [and am over my head here, so please correct if wrong], if there *could* be a way of providing instructions on compiling, so that the resultant compiled file would always have the same hash, then it might make sense to host the compiled binary and the hash. My understanding, (which may be outdated), is that there are too many variations in individual user systems, so that the compiled files would never have 'exactly' the same hash independent of where they are compiled. Is there any way to ensure that if the same source code and the same compiler is used, that the resultant files have the same hash? Thanks, vedaal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
