On Aug 4, 2008, at 2:06 PM, h.b.furuseth@usit.uio.no wrote:

Kurt@OpenLDAP.org writes:

...

I note as well that properly deploying release signing requires more than script modification. For instance, one does need to consider that the host to sign the releases might itself been taken over and the implications of such a takeover.

For that part, signatures in the 'https:' site would help.

I think you need to re-think that assertion.

Not that I'm making an issue of it, I've got OpenLDAP installations that I didn't verify against any signature right on this host.

-- Hallvard