Re: Archive signatures versus message digests

From: Olav Vitters <olav vitters nl>
To: Guido Trentalancia <guido trentalancia com>
Cc: gnome-infrastructure gnome org
Subject: Re: Archive signatures versus message digests
Date: Fri, 18 Nov 2011 09:55:28 +0100

On Wed, Nov 16, 2011 at 10:10:08PM +0100, Guido Trentalancia wrote:
> I am an end-user, I know nothing about GNOME infrastructure, I am just
> suggesting that the GNOME tarballs are signed by gpg (instead OR in
> addition to providing message digests).

I was responding because I hoped you could provide some answers on the
difficulties that are involved in this. I am not interested in a "it is
possible" as a standard answer. As such, I don't see any benefit in
continuing a discussion. I've explained everything already. Seems you
still misunderstand why SHA256 is there (not for security!).

Further, the existence of openpgp signatures does not indicate at all
that tarballs are secure. It only indicates that there are openpgp
signatures.

Regarding Bugzilla / openness: I've been cc'ing gnome-infrastructure,
you have been removing that on each reply.

This all said, I am interested in providing those signatures, but only
if they give a reasonable guarantee of security.
-- 
Regards,
Olav

References:
- Re: Archive signatures versus message digests
  - From: Olav Vitters
- Re: Archive signatures versus message digests
  - From: Olav Vitters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]