Re: Gnome Flatpak build system, descriptions and questions

From: Shaun McCance <shaunm gnome org>
To: Alexander Larsson <alexl redhat com>, Michael Catanzaro <mcatanzaro gnome org>, Richard Hughes <hughsient gmail com>
Cc: "gnome-os-list gnome org" <gnome-os-list gnome org>, desktop-devel-list <desktop-devel-list gnome org>
Subject: Re: Gnome Flatpak build system, descriptions and questions
Date: Fri, 26 Aug 2016 10:29:27 -0400

On Fri, 2016-08-26 at 12:05 +0200, Alexander Larsson wrote:

On fre, 2016-08-26 at 05:02 -0500, Michael Catanzaro wrote:


Clone via https:// rather than using git://

Does git verify signatures for this? That avoids the MITM attack i
guess.

Still, I would like us to eventually have a setup where every stable
release of every gnome module has a GPG signed commit, put there by
the
release team. Then we could make sure that the binaries for stable
builds are the proper releases.


Don't all maintainers already use signed tags for releases? Do we not
trust individual maintainers' keys? And if not, how does the release
team verify that what they're signing is correct? Isn't that just
shuffling potential vulnerabilities around?

Sorry for the stream of annoying questions. Here's a non-question to
balance out the email: This is all awesome. Keep up the good work.

--
Shaun

Follow-Ups:
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Michael Catanzaro

References:
- Gnome Flatpak build system, descriptions and questions
  - From: Alexander Larsson
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Richard Hughes
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Alexander Larsson
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Michael Catanzaro
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]