signed tarballs
Christian Rebischke
Chris.Rebischke at archlinux.org
Fri Apr 14 23:03:18 UTC 2017
On Fri, Apr 14, 2017 at 09:38:51AM -0400, Steve Grubb wrote:
> As I said in a subsequent email, "we'll go with hashes now and
> work up to signing another day." But I really am serious that the biggest
> threat to the project is not some wild eyed MITM attack targeting a whole
> distribution. Its me. I doubt few people truly understand the impact of the
> bug that Laurent reported and why it moved me to change plans and do a quick
> release. (It was not because ausearch was segfaulting.) Again, I call for more
> testing and bug reports. I know they are in the code. I find a couple every
> day or two.
Yep, the first factor is the code. But keep in mind that signing
tarballs are just 5 minutes of work per release. I see no reason why
audit shouldn't do it, all other redhat projects do it too.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170415/3c46fee9/attachment.sig>
More information about the Linux-audit
mailing list