This is the mail archive of the
mailing list for the GCC project.
Re: [Mpc-discuss] gcc dependency on unsigned mpc releases
- From: Andreas Enge <andreas dot enge at math dot u-bordeaux dot fr>
- To: Discussions around mpc <mpc-discuss at lists dot gforge dot inria dot fr>
- Cc: gcc at gcc dot gnu dot org
- Date: Fri, 30 Apr 2010 16:19:22 +0200
- Subject: Re: [Mpc-discuss] gcc dependency on unsigned mpc releases
- References: <firstname.lastname@example.org>
On Wed, Apr 28, 2010 at 11:54:45AM -0400, Brian Gough wrote:
> I am just following up on my earlier email to mpc-discuss to check if
> some signatures can be made available for the mpc tarballs. Currently
> it's not possible to install the latest gcc without the risk of using
> unsigned code. Thanks.
why not. Is there any gnu policy on how these signatures need to be
created? Can I sign with any gpg key, or does it have to be related
to the domain on which mpc is hosted?
My main practical concern is how to establish a trust path; as long as
there are no signatures on my key, signing hardly increases security
compared to a static hash sum (which I just published on the mpc page).