Successful experiment boosting the number of users using OpenPGP verification for file download

Heinz Diehl htd at
Fri Aug 2 15:26:46 CEST 2013

On 02.08.2013, Doug Barton wrote: 

> However, what you really want to encourage is the verification of the
> signature (ignoring the bootstrapping problem for the moment), and even
> forcing people to download the signature file won't do that.

Enforcing something to people mainly results in the opposite of what you want them to do.

> In fact I would argue that the only folks interested in verifying the signature already do
> that

You can't know. There can be people who download the sig but doesn't
manage to get it checked afterwards. Quality improvement should both
target these and all the others who don't bother. Show them why it is
important, how they could be affected of the negative consequences of
not checking the signature. And show them how they can do that.

> and that any increase in downloads of the signature files is
> statistically meaningless.

There is no such thing as "statistically meaningless". A difference
can be statistically significant (it's unlikely the result occured
by chance) or non-significant (it's likely that the results you
observe is due to natural variation/chance).

What you mean is that the increased download rate isn't relevant
(because it's flawed by the fact that downloading the sig doesn't
indicate that is has been checked) ;-)

You can only find out if an increased download rate is related to an
increased signature check if you ask the downloaders themselves.

More information about the Gnupg-users mailing list