[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

On Sat, Feb 18, 2012 at 04:42:38PM -0200, Henrique de Moraes Holschuh wrote:
> > Against what? The source is only downloaded from upstream once per
> > upstream release, what is there to check against?
> Upstream VCS, previous releases (when the diff is small enough), request
> that upstream publish in an email message the sha1sum or sha256sum when they
> announce a new release, etc.

A good part of upstreams use git, let's educate them about signed tags.

// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.

Attachment: signature.asc
Description: Digital signature

Reply to: