On 02.08.2013, Doug Barton wrote: > However, what you really want to encourage is the verification of the > signature (ignoring the bootstrapping problem for the moment), and even > forcing people to download the signature file won't do that.
Enforcing something to people mainly results in the opposite of what you want them to do. > In fact I would argue that the only folks interested in verifying the > signature already do > that You can't know. There can be people who download the sig but doesn't manage to get it checked afterwards. Quality improvement should both target these and all the others who don't bother. Show them why it is important, how they could be affected of the negative consequences of not checking the signature. And show them how they can do that. > and that any increase in downloads of the signature files is > statistically meaningless. There is no such thing as "statistically meaningless". A difference can be statistically significant (it's unlikely the result occured by chance) or non-significant (it's likely that the results you observe is due to natural variation/chance). What you mean is that the increased download rate isn't relevant (because it's flawed by the fact that downloading the sig doesn't indicate that is has been checked) ;-) You can only find out if an increased download rate is related to an increased signature check if you ask the downloaders themselves. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
