Need hash sums for .EXE if from sourceforge

Ethan Blanton elb at pidgin.im
Thu May 31 19:53:12 EDT 2012


Dave Warren spake unto us the following wisdom:
> That's probably worthwhile for all 6 users who will bother to check it.
> 
> Plus the reality of it, at least from my point of view, is that
> unless the GPG signature is distributed in a significantly different
> fashion from the EXE itself, it can be tampered with by anyone who
> has access to update the EXE itself.

That's what the web of trust is for.  :-)

You can build some significant confidence in the Pidgin signed
releases through the web of trust, even if you cannot firsthand verify
the signatures.  For example, I sign most emails I send, to this and
other mailing lists.  If the key I use for that weren't mine, someone
probably would have noticed by now.  I have cross-signed keys with at
least half a dozen other Pidgin developers at various face-to-face
meetings. Several of those developers have likely signed other
developers into the loop.  You can likely find other links for pidgin
devs to high-profile keys.

That sort of verification isn't strong enough for many uses, but it's
far stronger than a simple checksum.

Ethan




More information about the Support mailing list