Re: signed tarballs

On Apr 7, 2017 4:41 PM, "Christian Rebischke" <Chris.Rebischke(a)archlinux.org&gt; wrote: On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote: Because this wouldn't solve the problem or do you use signed commits in your linux-audit git repository? As long as you use a secure protocol and trust his repo signing the tags doesn't give you all that much. And even if you use signed commits I really would appreciate if you would sign the tarball and provide a hash for it on the release page. This would increase security a lot. Yes agreed there, at least HTTPS connections are available. cheers, chris