On Sat, Jun 25, 2016 at 9:56 AM, Hugo Lefeuvre <hle_AT_debian.org> wrote:
>
> For security reasons, it would be a good idea to provide PGP/GPG signed
> release tarballs. Signature checks are automatically done by our packaging
> systems and help us to determine whether a new release is trustworthy or
> not before packaging it.
>
> Users should also be able to verify the origin of a new release before
> installing it.
May I suggest Openbsd's singify [1]. Its got a simple design that I
think fits well with suckless philosphy.
[1]:
https://github.com/aperezdc/signify
-------------------------------------------------------------------------------
Colin J. Mills (cjm)
"Don't patch bad code - rewrite it" -- P. J. Plauger
Received on Sat Jun 25 2016 - 16:43:52 CEST