On Sun, 2006-10-01 at 10:48 +0100, Anne Wilson wrote: > Occasionally I see a red bar in kmail on someone's message, when > passing it through the list (or somewhere else along the way) has > corrupted something. I know that it was once found that sometimes an > additional EOL gets added (that was not on this list), but usually > it's because either you aren't set up to collect the keys > automatically, or the keyserver you are using doesn't have the key. which is going back to the original purpose for signing the message: That a message did come from, and didn't get altered in transit. Whether due to technical goofs, or tampering. It's too easy to be too forgiving about faults in checking signatures. We shouldn't be, though. It's useless if you're not vigilant. If you're warned, you need to at least think about the warning, if not actually do something about it. On here, it generally doesn't matter too much. We're not dealing with money, or important personal issues. Though issues of computer security do matter. I see your message as having a "valid signature," but with the warning that it "cannot verify sender" (it's not countersigned by a trusted third party). Where I do take issue with that situation is when we get messages on this list, or the announce list, about an update to a package with a similar warning about the message's PGP signature. I do think that programmers should put some effort into having their signatures countersigned by someone at Red Hat that we could put some PGP trust in. -- (Currently running FC4, in case that's important to the thread) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.