New mirror for WinPT + GnuPG installer
Toxik - Fabian Rodriguez
Wed Dec 4 15:45:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Thanks for your comments. An important detail, I am not the author of
the installer of WinPT. I just setup a mirror of the latest files and
mostly the same text as the original page, with permission of the
> -----Original Message-----
> From: email@example.com
> Behalf Of Michael Nahrath
> But before downloading one of those 'made easy' packets I have
> questions (not only to you).
> <http://www.gnupg.org/(en)/download/index.html> only provides
> without an installer. Is there a certain reason for this?
* WOW * I didn't know there had been a new look-and-feel site
GnuPG is *only* a command line implementation of OpenPGP. GnuPG's
project goal is not to provide a GUI installer for each platform (or
even only one).
If you look at the Related Software section of gnupg.org, in
"FrontEnds", you will find WinPT:
But WinPT also requires unpacking and setting up the files and
> <http://www.winpt.org/download.html> offers a graphical installer
> but it is
> quite outdated (installs GPG 1.06).
The reason is that WinPT's project is not to provide the graphical
installer. The WinPT installer is pretty recent (2 weeks I think!),
and has not been tested a lot. I think the current download at
WinPT.org can be more stable, but I agree it's not very clear what
software this installs. You may want to subcribe/write in the list
WinPT-users abouth this:
> <http://areaii.ufpe.br/~tango/winpt.html> and
> offer recent installers (GPG 1.2.1).
> But those binaries where built by people I have never heard off.
> By principle (please don't take it personal!):
> How can I know that these versions are unchanged and don't install
> horses or other ugly stuff?
It's up to you to decide, but at least you have the choice :) From my
understanding, Nullify's builds were offered faster than GnuPG.org's
official ones, so they became popular for testing purposes. In a
production environment, it's clear I'd rather use GnuPG's version,
and I'll ask Gustavo (the installer's creator) about this. Thanks for
the reminder :)
> When it comes to software I trust in Werner Koch. At least I have
> trust-path to the key that signed the source archives.
> I have no trust-path to you or Keith.
> Actually I hardly have a trust-path to any developer whose software
> installed (not even to Apple Computers), but GPG is ... a bit
> more special.
Where do you update your keyring to/from ? Personally I only sign
keys that I get requests from and that I can verify on different
levels, including how long I've known someone, met personally, seen
participating in different forums, etc. I don't ask for signatures
unles I know other people can do the same kind of verification on me.
I have not asked them to sign my keys yet, but I eventually may.
However you can check my trust by making a quick search on Google,
for example, for firstname.lastname@example.org. Other verifications can
include checking business directories or corporation indexes (for
example, looking for Toxik in the Canadian corporations database at
Strategis will show our record at
). Trust in my OpenPGP setup for now is very low, partly because I
spent too much time building trust on Thawte's WOT sometime ago ;) -
of which I am still a notary.
> At <http://www.gnupg.org/> I have not found a link to
> <http://www.nullify.org/> or one of the other installer sites.
I doubt very much that there ever will, as GnuPG.org has its own
(official) gnupg binaries.
> What do the GnuPG developers think about the other installers?
It depends, most hard-core unix users view them as useless (some of
my closest friends think that). Some of the business users or
end-users that don't know/don't have the time to go through all the
manual steps to properly install and use it appreciate them the most.
Ultimately, those that need them create them, which you can't do
with most closed-source/commercial licensed software.
> I don't want to suspect anyone of something bad.
> These are rather general doubts I have about software
And very good questions, which we tend to forget as we go on on our
exploration and tests... thanks for reminding me of some important
things (like requesting more signatures ;).
Fabián Rodríguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 2000) - WinPT 0.7.92-cvs
-----END PGP SIGNATURE-----