On Tue, 27 Dec 1994, Matt Blaze wrote:
including tamper-evident seals on their packages, but until consumers learned to expect the seals, all the bad guys had to do was remove the seal entirely before replacing the tainted packages. In the short term, given today's infrastructure, there's not a lot you can do.
Of course, in the medium- and long- term, the best solution is to design good schemes and deploy them widely enough that people learn to expect them.
One solution, or start of a solution, is to tell the user about the signature checks, and how to go about verifying them in teh README text file, that most users come to expect in a package of software. Or perhaps add into the tar and zipped packagea file called SIGNATURECHECK or something suitably obvious, as well as explaining it. I believe most users expect the README file enough to look in it, at least skimming it. i want to know everything http://www.mcs.com/~nesta/home.html i want to be everywhere Nesta's Home Page i want to fuck everyone in the world & i want to do something that matters /-/ a s t e zine