Re: Using .tar.xz only on

On Mon, Mar 21, 2011 at 11:10:14PM +0100, Josselin Mouette wrote:
> OTOH Iʼd really appreciate to see digital signatures along with the
> tarballs.

Please file a bug against sysadmin, Blue Sky component detailing exactly
the idea.

We don't have signatures, so I'd like (need) loads of detail:
1. What guarantee is expected?
   e.g. 100% trust it was uploaded by the maintainer vs 'comes from
   random person who has the ability to upload things @ GNOME'
2. How to handle digital signatures securely?
   e.g. is there is a breakin, having someone steal the private key
   would be really bad, as signatures imply trust.
3. How to expire, announce new versions, get the initial trust, etc?

... basically how is the infrastructure bit handled at Debian/ some
other distro

I think this might be a bit much for d-d-l, so suggest to file the bug
and either discuss on gnome-infrastructure or in the bug (gnome-infra
will automatically receive a copy of the bug).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]