Am 28.08.2014 09:14, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@redhat.com> wrote:
So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the tarball, so technically there is already a signed source out there. Signing a tarballl means putting out an additional file and keeping it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data integrity has to unpack/verify the rpm? Come on... :-) Signing tarballs is nothing new nor rocket science. In times where the NSA tries to f*ck everyone at least some basic cryptographic arrangements should be applied. I know other projects are sloppy regarding signed releases too, this does not mean that libvirt should follow their bad example. Thanks, //richard