Re: signed tarballs
On Mon, Apr 10, 2017 at 02:35:31PM -0400, Steve Grubb wrote:
Nobody has ever asked for one. I literally build the package in
Fedora within
a few minutes of a release. Fedora has hashes of the audit tar file in the
"sources" file in the build system in case you want any historical
information:
http://pkgs.fedoraproject.org/cgit/rpms/audit.git/log/sources
Hello Steve,
well.. then I want to ask you if you could use gpg signatures in future
for your releases. We, at arch linux, are currently encouraging upstream
to use signed releases and https. It's just 5min of work and it's a big
step to a more secure internet. Thanks.
chris
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)