signed tarballs
Steve Grubb
sgrubb at redhat.com
Tue Apr 11 14:03:54 UTC 2017
On Tuesday, April 11, 2017 6:44:13 AM EDT Christian Rebischke wrote:
> On Mon, Apr 10, 2017 at 02:35:31PM -0400, Steve Grubb wrote:
> > Nobody has ever asked for one. I literally build the package in Fedora
> > within a few minutes of a release. Fedora has hashes of the audit tar
> > file in the "sources" file in the build system in case you want any
> > historical information:
> >
> > http://pkgs.fedoraproject.org/cgit/rpms/audit.git/log/sources
>
> Hello Steve,
> well.. then I want to ask you if you could use gpg signatures in future
> for your releases. We, at arch linux, are currently encouraging upstream
> to use signed releases and https. It's just 5min of work and it's a big
> step to a more secure internet. Thanks.
I added a sha256sum to the release announcement yesterday. You can also access
the people page via https.
-Steve
More information about the Linux-audit
mailing list