[libvirt] Entering freeze for libvirt-1.2.8
Richard Weinberger
richard at nod.at
Thu Aug 28 07:25:22 UTC 2014
Am 28.08.2014 09:14, schrieb Daniel Veillard:
> On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
>> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard at redhat.com> wrote:
>>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>>
>> Can you please sign the tarball too?
>
> Well, the source rpm is signed, you can check it and it contains the
> tarball, so technically there is already a signed source out there.
> Signing a tarballl means putting out an additional file and keeping
> it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data
integrity has to unpack/verify the rpm?
Come on... :-)
Signing tarballs is nothing new nor rocket science.
In times where the NSA tries to f*ck everyone at least some basic
cryptographic arrangements should be applied.
I know other projects are sloppy regarding signed releases too, this does
not mean that libvirt should follow their bad example.
Thanks,
//richard
More information about the libvir-list
mailing list