Re: Archive signatures versus message digests



On Wed, Nov 16, 2011 at 10:10:08PM +0100, Guido Trentalancia wrote:
> I am an end-user, I know nothing about GNOME infrastructure, I am just
> suggesting that the GNOME tarballs are signed by gpg (instead OR in
> addition to providing message digests).

I was responding because I hoped you could provide some answers on the
difficulties that are involved in this. I am not interested in a "it is
possible" as a standard answer. As such, I don't see any benefit in
continuing a discussion. I've explained everything already. Seems you
still misunderstand why SHA256 is there (not for security!).

Further, the existence of openpgp signatures does not indicate at all
that tarballs are secure. It only indicates that there are openpgp
signatures.

Regarding Bugzilla / openness: I've been cc'ing gnome-infrastructure,
you have been removing that on each reply.

This all said, I am interested in providing those signatures, but only
if they give a reasonable guarantee of security.
-- 
Regards,
Olav


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]