Re: Gnome Flatpak build system, descriptions and questions



On Fri, 2016-08-26 at 12:05 +0200, Alexander Larsson wrote:
On fre, 2016-08-26 at 05:02 -0500, Michael Catanzaro wrote:

Clone via https:// rather than using git://
Does git verify signatures for this? That avoids the MITM attack i
guess.

Still, I would like us to eventually have a setup where every stable
release of every gnome module has a GPG signed commit, put there by
the
release team. Then we could make sure that the binaries for stable
builds are the proper releases.

Don't all maintainers already use signed tags for releases? Do we not
trust individual maintainers' keys? And if not, how does the release
team verify that what they're signing is correct? Isn't that just
shuffling potential vulnerabilities around?

Sorry for the stream of annoying questions. Here's a non-question to
balance out the email: This is all awesome. Keep up the good work.

--
Shaun



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]