I have posted a message in the GPG Tools support forum copying the original post in this thread, letting the developers know of the concerns raised here.
Perhaps you will see some comments in the near future. Sandeep Murthy s.mur...@mykolab.com > On 17 Feb 2015, at 13:31, Werner Koch <w...@gnupg.org> wrote: > > On Mon, 16 Feb 2015 22:48, js-gnupg-us...@webkeks.org said: > >> @bash -c "$$(curl -fsSL >> https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)" > > Bad idea to directly run code from a foreign remote site. I'd > appreciate if someone from gpgtools.org can comment on this. > > GnuPG's speedo build system also downloads stuff via the Makefile but it > verifies the checksums before proceeding. The checksums are taken from a > public file which has a detached signature and the public key for that > is one of the GnuPG release signing keys. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
