Please remove MacGPG from gnupg.org due to serious security concerns
Doug Barton
dougb at dougbarton.email
Wed Feb 18 17:46:23 CET 2015
On 2/18/15 2:52 AM, Jonathan Schleifer wrote:
> Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write a checksum to the Makefile / PKGBUILD / however it is called that is then verified. So I guess you can't easily map that to "Only x% of users check the downloaded tarball". I guess it's a lot more, it's just not all check it using the .sig.
Back when I was involved with the FreeBSD project I included code in the
Makefile to verify the PGP signature for all of my ports that had one,
as did a few other maintainers. However there was not only not a
consensus to do this more generally, there was active opposition to
doing it at all.
If you are a FreeBSD user and believe that this would be something
beneficial to the ports system, please send them e-mail at
freebsd-ports at freebsd.org and let them know. :)
Doug
More information about the Gnupg-users
mailing list