Need hash sums for .EXE if from sourceforge
Ethan Blanton
elb at pidgin.im
Thu May 31 19:53:12 EDT 2012
Dave Warren spake unto us the following wisdom:
> That's probably worthwhile for all 6 users who will bother to check it.
>
> Plus the reality of it, at least from my point of view, is that
> unless the GPG signature is distributed in a significantly different
> fashion from the EXE itself, it can be tampered with by anyone who
> has access to update the EXE itself.
That's what the web of trust is for. :-)
You can build some significant confidence in the Pidgin signed
releases through the web of trust, even if you cannot firsthand verify
the signatures. For example, I sign most emails I send, to this and
other mailing lists. If the key I use for that weren't mine, someone
probably would have noticed by now. I have cross-signed keys with at
least half a dozen other Pidgin developers at various face-to-face
meetings. Several of those developers have likely signed other
developers into the loop. You can likely find other links for pidgin
devs to high-profile keys.
That sort of verification isn't strong enough for many uses, but it's
far stronger than a simple checksum.
Ethan
More information about the Support
mailing list