Re: signed tarballs
On Fri, Apr 14, 2017 at 09:38:51AM -0400, Steve Grubb wrote:
As I said in a subsequent email, "we'll go with hashes now
and
work up to signing another day." But I really am serious that the biggest
threat to the project is not some wild eyed MITM attack targeting a whole
distribution. Its me. I doubt few people truly understand the impact of the
bug that Laurent reported and why it moved me to change plans and do a quick
release. (It was not because ausearch was segfaulting.) Again, I call for more
testing and bug reports. I know they are in the code. I find a couple every
day or two.
Yep, the first factor is the code. But keep in mind that signing
tarballs are just 5 minutes of work per release. I see no reason why
audit shouldn't do it, all other redhat projects do it too.
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)