signed tarballs
William Roberts
bill.c.roberts at gmail.com
Fri Apr 7 23:52:57 UTC 2017
On Apr 7, 2017 4:41 PM, "Christian Rebischke" <Chris.Rebischke at archlinux.org>
wrote:
On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote:
> Why not just checkout the release with git?
Because this wouldn't solve the problem or do you use signed commits in
your linux-audit git repository?
As long as you use a secure protocol and trust his repo signing the tags
doesn't give you all that much.
And even if you use signed commits I
really would appreciate if you would sign the tarball and provide a hash
for it on the release page. This would increase security a lot.
Yes agreed there, at least HTTPS connections are available.
cheers,
chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170407/a0e4776e/attachment.htm>
More information about the Linux-audit
mailing list