[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Entering freeze for libvirt-1.2.8



Am 28.08.2014 09:14, schrieb Daniel Veillard:
> On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
>> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard redhat com> wrote:
>>>   So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>>
>> Can you please sign the tarball too?
> 
>   Well, the source rpm is signed, you can check it and it contains the
> tarball, so technically there is already a signed source out there.
> Signing a tarballl means putting out an additional file and keeping
> it forever, I could do that but hum ....

So everyone how wants to build libvirt from source and cares about data
integrity has to unpack/verify the rpm?
Come on... :-)

Signing tarballs is nothing new nor rocket science.
In times where the NSA tries to f*ck everyone at least some basic
cryptographic arrangements should be applied.

I know other projects are sloppy regarding signed releases too, this does
not mean that libvirt should follow their bad example.

Thanks,
//richard


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]