If pieces of the source/executable are digitally signed, you have a basis for some degree of trust. (My pgp came with a detached signature. A bit self-referental, but at least a start.)
Regards - Bill
Agreed, but it imposes further restrictions: it's OK if you can put PGP digitally signed by prz, but not all packages will be available signed from their authours, especially compiled for various platforms. OTOH, most unknowledgeable people will trust almost anything (they are already doing so when downloading java applets). And it would do a great work to spread knowledge about cryptography. Which is a Good Thing. All in all, I think it is a good idea, but addressing the general public will require quite some work, and the 'connoisseurs' might either do as Tim (only use the net) or just make their own mass-store, removable, thingies. Stil I'd bet many people will be eager to get a mirror of the major sites on CD. jr