Mike Perry wrote:
Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg sign .xpis, but have been sloppy about posting them publicly.
<snip>
For now, I think the right answer is "Fetch it over SSL" or "Check the git/gpg sig".
Could you make a point of publicly posting the .xpi gpg signatures along with the .xpis? I have never liked the method of downloading the extensions via the browser and installing all in one step. I prefer to download the extension, convince myself it is authentic (such as gpg), possibly install it locally in a test accound, and finally install it locally in the account(s) where I intend to use it. At present, the missing ingredient in being able to do that is not having a signature to verify against.
So I'd much appreciate being able to get the signature w/o having to figure out git. Particularly if that signature has already been created.
Thanks, Jim *********************************************************************** To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/