This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [Mpc-discuss] gcc dependency on unsigned mpc releases

From: Andreas Enge <andreas dot enge at math dot u-bordeaux dot fr>
To: Discussions around mpc <mpc-discuss at lists dot gforge dot inria dot fr>
Cc: gcc at gcc dot gnu dot org
Date: Fri, 30 Apr 2010 16:19:22 +0200
Subject: Re: [Mpc-discuss] gcc dependency on unsigned mpc releases
References: <43eihzfu7u.wl%bjg@gnu.org>

Hi,

On Wed, Apr 28, 2010 at 11:54:45AM -0400, Brian Gough wrote:
> I am just following up on my earlier email to mpc-discuss to check if
> some signatures can be made available for the mpc tarballs.  Currently
> it's not possible to install the latest gcc without the risk of using
> unsigned code.  Thanks.

why not. Is there any gnu policy on how these signatures need to be
created? Can I sign with any gpg key, or does it have to be related
to the domain on which mpc is hosted?

My main practical concern is how to establish a trust path; as long as
there are no signatures on my key, signing hardly increases security
compared to a static hash sum (which I just published on the mpc page).

Andreas

References:
- gcc dependency on unsigned mpc releases
  - From: Brian Gough

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]