The only thing that signing anything does is insure that the object you receive is the same as that which a trusted publisher sent you. It says nothing about the usefulness or safety of the code, and isn't meant to. If you trust whoever to write safe code, that's your problem.
The only really practical use is to make sure you aren't receiving code that has been modified in transit or posted by someone posing as someone else. Of course to really do this, you need to verify the integrity of the signer's certificate as well as the code's signature. This either costs money or is generally insecure (as no one is going to bother verifying the md5 on joe blow's random certificate authority, and even if they did so, it theoretically could be compromised in transit as well, unless you call joe blow on the phone, and he probably wouldn't know what you were talking about).
The only place this really works is in a corporate lan environment (where this type of breach is much less likely anyway) or with big name source distributors like MS or Linux distro's.
Slashdot Mirror
The only thing that signing anything does is insure that the object you receive is the same as that which a trusted publisher sent you. It says nothing about the usefulness or safety of the code, and isn't meant to. If you trust whoever to write safe code, that's your problem. The only really practical use is to make sure you aren't receiving code that has been modified in transit or posted by someone posing as someone else. Of course to really do this, you need to verify the integrity of the signer's certificate as well as the code's signature. This either costs money or is generally insecure (as no one is going to bother verifying the md5 on joe blow's random certificate authority, and even if they did so, it theoretically could be compromised in transit as well, unless you call joe blow on the phone, and he probably wouldn't know what you were talking about). The only place this really works is in a corporate lan environment (where this type of breach is much less likely anyway) or with big name source distributors like MS or Linux distro's.