[Pidgin] Are the packages signed modified
trac at pidgin.im
Thu Sep 20 15:02:37 EDT 2012
Page "Are the packages signed" was changed by datallah
Diff URL: <https://developer.pidgin.im/wiki/Are%20the%20packages%20signed?action=diff&version=4>
Comment: Add a section about what signatures are and why they're important (snagged chunks from the Tor project's site)
Index: Are the packages signed
--- Are the packages signed (version: 3)
+++ Are the packages signed (version: 4)
@@ -1,5 +1,14 @@
+== What is a signature and why should I check it? ==
+When you download a file from the internet, you don't have a good way of knowing if it may have been tampered with. It's not beyond the realm of possibility that someone could release a patched version of pidgin that transparently captured your passwords and uploaded them to some server.
+This is where signatures come in - file signatures are very similar in concept to the idea behind signing both the back of your credit card, and a credit card receipt. The signature is a verification that the file came from who it was expected to come from.
+You probably have noticed that vendors frequently don't bother to compare the signature on the receipt to the signature on the back of the card, which makes it so that anyone could have been using the credit card (let's pretend that the signature on a credit card slip isn't trivially easy to forge). Similarly, if you don't verify the signature on a file, even if the file is signed, you don't have any confidence that it came from where it was expected to come from.
+Due to the nature of how signing works, an additional benefit is that if you verify the signature, you can be confident that nothing got corrupted during the download process - the file you have is exactly as it was when it was signed.
== Source Tarballs ==
-The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by on of the following people:
+The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by one of the following people:
Page URL: <https://developer.pidgin.im/wiki/Are%20the%20packages%20signed>
This is an automated message. Someone added your email address to be
notified of changes on 'Are the packages signed' page.
If it was not you, please report to datallah at pidgin.im.
More information about the Wikiedit