Re: signatures on release tarballs?

From: Sandy Armstrong <sanfordarmstrong gmail com>
To: Brian Gough <bjg gnu org>
Cc: bug-gsrc gnu org, gnome-infrastructure gnome org
Subject: Re: signatures on release tarballs?
Date: Mon, 29 Mar 2010 07:49:53 -0700

On Mon, Mar 29, 2010 at 7:19 AM, Brian Gough <bjg gnu org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have a question regarding the release tarballs on ftp.gnome.org.
> As far as I can tell, these are not gpg-signed.  Is that correct?
>
> Are signatures available anywhere else or is there any alternative way
> to check them?
>
> I'm working on a collected release of all GNU software packages and
> we'd like to verify everything that goes in it.  Thanks.

When we generate tarballs, we also generate their sha256sum.  Is that
sufficient?  For example:

http://download.gnome.org/sources/tomboy/1.1/tomboy-1.1.4.sha256sum

Sandy

Follow-Ups:
- Re: signatures on release tarballs?
  - From: Ray Wang

References:
- signatures on release tarballs?
  - From: Brian Gough

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]