Am 28.08.2014 09:14, schrieb Daniel Veillard:
On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote:
> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard(a)redhat.com> wrote:
>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms
>
> Can you please sign the tarball too?
Well, the source rpm is signed, you can check it and it contains the
tarball, so technically there is already a signed source out there.
Signing a tarballl means putting out an additional file and keeping
it forever, I could do that but hum ....
So everyone how wants to build libvirt from source and cares about data
integrity has to unpack/verify the rpm?
Come on... :-)
Signing tarballs is nothing new nor rocket science.
In times where the NSA tries to f*ck everyone at least some basic
cryptographic arrangements should be applied.
I know other projects are sloppy regarding signed releases too, this does
not mean that libvirt should follow their bad example.
Thanks,
//richard