[Psi-devel] OT: CACert included in Kubuntu?

[textshell-I1QKlO@neutronstar.dyndns.org]

On Thu, Nov 30, 2006 at 09:56:55AM -0800, Justin Karneges wrote:
> 
> Actually, this practice of secure retrieval should apply to *any* software 
> package you obtain from *anywhere*, not just your operating system.  This is 
> why I'd like to get HTTPS and Code Signing for Psi downloads, so users can 
> ensure they are getting an untainted package.
> 

The standard paractice is providing md5 oder sha1 sums at an trusted
location or sign them with gpg with a key that the user might trust.

I think https won't help very much except raise server load for the
downloads. But having the checksum download "secured" with ssl migth be
useful.

I personally distrust the whole CA stuff¹, but some people might feel better
that way.


 - Martin H.

¹ at least for anything someone would really want to compromise..