Hi, On Wed, Apr 28, 2010 at 11:54:45AM -0400, Brian Gough wrote: > I am just following up on my earlier email to mpc-discuss to check if > some signatures can be made available for the mpc tarballs. Currently > it's not possible to install the latest gcc without the risk of using > unsigned code. Thanks.
why not. Is there any gnu policy on how these signatures need to be created? Can I sign with any gpg key, or does it have to be related to the domain on which mpc is hosted? My main practical concern is how to establish a trust path; as long as there are no signatures on my key, signing hardly increases security compared to a static hash sum (which I just published on the mpc page). Andreas
