Why trust gpg4win?

[Jasper den Ouden]

> The solution of course is as you urged takethebus at gmx.de , to get a
> free operating system such as Linux or BSD, complete with free 
> build tools  & compile your own (even non programmers can do that, 
> eg on an OS downloaded from http://www.freebsd.org
Compiling your own fixes the issue of the sources not corresponding to
 binaries. (well possibly there is a hole you compile with a
compromised binary)

But i think people are _correct_ in thinking that it is too much work?
Package managers currently rather often sign the packages, the
delivery part has a measure of security, at least. Cant package
managers like apt come with easy to tools to check that the binary
corresponds to the sources so people can easily do so? Perhaps a
standard place to vouch for the fact that you did check some package
would be a nice thing aswel. gitian.org might be a good start.

This way of improving security might reach more people for the same or
less work. (However PKGBUILDs on pacman AUR have not always been
co-operative, not everything may compile easily, and if you tweak
something to make it work, a difference in compiled result might hinge
on that)

As others noted, endpoints are too often insecure. Arent computers
getting much cheaper now, as shown by say, the raspberry pi? It seems
to me that it is time to start running highly-security oriented
operating systems on cheap computers. Those would then just be used
for message sending, signing documents, basic browsing..(Is there a
pdf tool for extra security.) If it is not a persons main computer,
restricting what it is used for is simply not an inconvenient nearly
as much.