Re: [ANNOUNCE] Updated and new packages in Pre-Release - Aug 13 2002

|--==> "SJ" == Simon Josefsson <jas(a)extundo.com&gt; writes: SJ> One idea which would allow security minded people to at least SJ> be able to manually verify GPG signatures on packages would be SJ> to include an MD5 checksum of the packages in these signed SJ> announcements. Hi Simon! Are you aware that the packages are already verified against an MD5 checksum? The checksum is in the package-index file. PUI won't install the package if it doesn't match. And for people running XEmacs 21.5 [1] the package-index file is GnuPG signed and you can optionally have PUI verify the signature. To enable this: (setq package-get-require-signed-base-updates t) And it would probably be a good idea to use the following settings for GnuPG (I don't know about any other PGP package): ,----[ ~/.gnupg/options ] | keyserver-options auto-key-retrieve | keyserver wwwkeys.pgp.net `---- Footnotes: [1] IMO this code should be in 21.4 as well, I'll cons up a patch for you, Steve T -- |---<Steve Youngs>---------------<GnuPG KeyID: 10D5C9C5>---| | XEmacs - It's not just an editor. | | It's a way of life. | |------------------------------------&lt;youngs(a)xemacs.org&gt;---|