5 Aug
2008
5 Aug
'08
3:52 p.m.
I figure that an attacker can convince most downloaders who might verify a PGP signature that the project no longer signs releases, making the project's use of PGP signatures moot. While it can be argued that there might be some downloaders who want to establish rigid signature verification procedures and follow them, I simply haven't heard anyone claim to be such a downloader. And even if there where a few that might now claim this, I think the amount of work involved (both initially and on a per release basis) is worth the time spent.
I would argue time is better spent on improvements that are benefit most downloaders, such as a more comprehensive web/ftp change detection/notice system.
-- Kurt