Re: [dev] Signing releases

From: Colin Mills <colin.j.mills96_AT_gmail.com>
Date: Sat, 25 Jun 2016 10:43:52 -0400

On Sat, Jun 25, 2016 at 9:56 AM, Hugo Lefeuvre <hle_AT_debian.org> wrote:
>
> For security reasons, it would be a good idea to provide PGP/GPG signed
> release tarballs. Signature checks are automatically done by our packaging
> systems and help us to determine whether a new release is trustworthy or
> not before packaging it.
>
> Users should also be able to verify the origin of a new release before
> installing it.


May I suggest Openbsd's singify [1]. Its got a simple design that I
think fits well with suckless philosphy.

[1]: https://github.com/aperezdc/signify

-------------------------------------------------------------------------------
Colin J. Mills (cjm)
"Don't patch bad code - rewrite it" -- P. J. Plauger
Received on Sat Jun 25 2016 - 16:43:52 CEST

This archive was generated by hypermail 2.3.0 : Sat Jun 25 2016 - 16:48:11 CEST