[MPlayer-users] Why are the MPlayer sources not signed ?
r00tkid
kdejunkie at web.de
Sun Aug 4 17:42:02 CEST 2002
hi there,
just a phew days ago 2 versions of OpenSSH were trojaned after BSD's ftp
server was broken (okay, this machine was not running *BSD but some SUN
cra*** err, SUN operating system, I guess Solaris).
This was a bit shocking, I took a look on the stuff I always install
that does NOT come signed and MPlayer is among that software, so my
question to the developers, why don't you sign the sources with GnuPG or
PGP 2.6.x ?
You even DO NOT print any MD5 hashes on your website for the packages !
Imagine one day your server gets hacked, a gpg signature is the only way
to tell that a certain package is okay or not ! Okay, assumed that you
use gpg the right way and don't have your secret keys on a machine
that's hosting the sources and is connected to the net...
Curious to see what the developers have to say about this...
More information about the MPlayer-users
mailing list