Subject: Re: adding gpg to src/gnu/dist
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-security
Date: 05/17/2004 14:09:00
>>> [...nbsvtool...gnupg...]
>> [...nbsvtool...gnupg...]
> [...nbsvtool...gnupg...]

I have a suggestion which may be heretical, but seems reasonable to me:
why not sign things with GPG, PGP, nbsvtool, and whatever other forms
of sigature we think have wide enough acceptance to be worth using?
(S/MIME, maybe?)  The nbsvtool (or whatever) signatures can be checked
by the NetBSD tools, with any of them checkable by humans who want to
make sure they've got a clean distribution when they have it on some
other (non-NetBSD) machine.

The truly paranoid, of course, will check them all, which is as it
should be; as someone pointed out, having more signatures cannot make
the file itself less secure - at most they can lead to a false sense of
security, and I don't think that's a danger when providing a half-dozen
different forms of signature over the same files.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B