[darcs-users] Re: GPG trust was Re: Wiki Trust

zooko at zooko.com zooko at zooko.com
Mon May 2 13:54:13 UTC 2005


> 2005-04-30T17:09:12 zooko:
> > Could someone please give an example scenario or a specific
> > description of what the goal is?
> 
> I assumed that the goal was, user wants to download a prebuilt
> binary (since building ghc to be able to build darcs puts some
> people off); how can they tell it's a legitimate build of a darcs
> binary and not a trojan horse?
> 
> For the problem of asserting the legitimacy of tarballs, there's
> widespread acceptance of the practice of the author gpg signing the
> tarball with a detached ascii-armored signature.

I apologize.  I had thought that the topic which was being brought onto the
mailing list was how to secure the sharing of patches among multiple hackers
who use darcs.  Since the topic is how to verify the authenticity of binaries
for end-users, then I agree that gpg signatures are a reasonable approach.

MD5 or SHA1 hashes of the resulting binary are also somewhat useful.

Regards,

Zooko





More information about the darcs-users mailing list