Folks,
I think we should PGP sign all the "official" packages that are provided
for download from the various mirror sites. IMHO, this is important
because:
- ensuring that end users can trust PostgreSQL is an important part to
getting the product used in mission-critical applications, as I'm sure
you all know. Part of that is producing good software; another part is
ensuring that users can trust that the software we put out hasn't been
tampered with.
- people embedding trojan horses in open source software is not unheard
of. In fact, it's probably becoming more common: OpenSSH, sendmail,
libpcap/tcpdump and bitchx have all been the victim of trojan horse
attacks fairly recently.
- PGP signing binaries is relatively easy, and doesn't need to be done
frequently.
Comments?
I'd volunteer to do the work myself, except that it's pretty closely
intertwined with the release process itself...
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC