New mirror for WinPT + GnuPG installer

Toxik - Fabian Rodriguez Fabian.Rodriguez@Toxik.com
Wed Dec 4 15:45:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi Michael,

Thanks for your comments. An important detail, I am not the author of
the installer of WinPT. I just setup a mirror of the latest files and
mostly the same text as the original page, with permission of the
author.

> -----Original Message-----
> From: gnupg-users-admin@gnupg.org
[mailto:gnupg-users-admin@gnupg.org]On
> Behalf Of Michael Nahrath
[...]
> But before downloading one of those 'made easy' packets I have
some
> questions (not only to you).
>
> <http://www.gnupg.org/(en)/download/index.html> only provides
binaries
> without an installer. Is there a certain reason for this?

* WOW * I didn't know there had been a new look-and-feel site
released.
GnuPG is *only* a command line implementation of OpenPGP. GnuPG's
project goal is not to provide a GUI installer for each platform (or
even only one).

If you look at the Related Software section of gnupg.org, in
"FrontEnds", you will find WinPT:
http://www.gnupg.org/(en)/related_software/frontends.html

 But WinPT also requires unpacking and setting up the files and
environment manually.

> <http://www.winpt.org/download.html> offers a graphical installer
> but it is
> quite outdated (installs GPG 1.06).

The reason is that WinPT's project is not to provide the graphical
installer. The WinPT installer is pretty recent (2 weeks I think!),
and has not been tested a lot. I think the current download at
WinPT.org can be more stable, but I agree it's not very clear what
software this installs. You may want to subcribe/write in the list
WinPT-users abouth this:
http://www.winpt.org/mlist.html

> <http://areaii.ufpe.br/~tango/winpt.html> and
<http://www.nullify.org/>
> offer recent installers (GPG 1.2.1).
> But those binaries where built by people I have never heard off.
>
> By principle (please don't take it personal!):
> How can I know that these versions are unchanged and don't install
trojan
> horses or other ugly stuff?

It's up to you to decide, but at least you have the choice :) From my
understanding, Nullify's builds were offered faster than GnuPG.org's
official ones, so they became popular for testing purposes. In a
production environment, it's clear I'd rather use GnuPG's version,
and I'll ask Gustavo (the installer's creator) about this. Thanks for
the reminder :)

> When it comes to software I trust in Werner Koch. At least I have
a
> trust-path to the key that signed the source archives.
> I have no trust-path to you or Keith.
> Actually I hardly have a trust-path to any developer whose software
I
> installed (not even to Apple Computers), but GPG is ... a bit
> more special.

Where do you update your keyring to/from ? Personally I only sign
keys that I get requests from and that I can verify on different
levels, including how long I've known someone, met personally, seen
participating in different forums, etc. I don't ask for signatures
unles I know other people can do the same kind of verification on me.
I have not asked them to sign my keys yet, but I eventually may.
However you can check my trust by making a quick search on Google,
for example, for fabian.rodriguez@toxik.com. Other verifications can
include checking business directories or corporation indexes (for
example, looking for Toxik in the Canadian corporations database at
Strategis will show our record at
http://strategis.ic.gc.ca/cgi-bin/sc_mrksv/corpdir/dataOnline/corpns_re?comp
any_select=3701425
). Trust in my OpenPGP setup for now is very low, partly because I
spent too much time building trust on Thawte's WOT sometime ago ;) -
of which I am still a notary.

> At <http://www.gnupg.org/> I have not found a link to
> <http://www.nullify.org/> or one of the other installer sites.

I doubt very much that there ever will, as GnuPG.org has its own
(official) gnupg binaries.

> What do the GnuPG developers think about the other installers?
It depends, most hard-core unix users view them as useless (some of
my closest friends think that). Some of the business users or
end-users that don't know/don't have the time to go through all the
manual steps to properly install and use it appreciate them the most.
Ultimately, those that need them create them, which you can't  do
with most closed-source/commercial licensed software.

> I don't want to suspect anyone of something bad.
> These are rather general doubts I have about software
distribution.

And very good questions, which we tend to forget as we go on on our
exploration and tests... thanks for reminding me of some important
things (like requesting more signatures ;).

Take care,

Fabián Rodríguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
OpenPGP: 0x5AF2A4D5


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 2000) - WinPT 0.7.92-cvs

iD8DBQE97hROfUcTXFrypNURAumyAJ9YCmtdpLR10mb7GhbnWuffPNknkACffkii
RMiQC/OkNsgLbR65wdKyxjY=
=wrO5
-----END PGP SIGNATURE-----