An additional and obvious security measure is to cryptographically sign each file release with a detached armored signature, e.g.,
gpg --default-key <keyid> --detach-sign --armor cmake-3.3.0.tar.gz where keyid is a CMake release manager identification key (also created and distributed by gpg). The above command creates a small file called cmake-3.3.0.tar.gz.asc which security-conscious users download along with the tarball itself. They can then verify every byte of both downloads and that the correct crytographic signature from the CMake release manager was applied using gpg --verify cmake-3.3.0.tar.gz.asc Most important open-source projects (and even many unimportant ones like PLplot, :-) ) routinely apply this security measure for release tarballs, but for some reason up to now, Kitware has not. Alan __________________________ Alan W. Irwin Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); the Time Ephemerides project (timeephem.sf.net); PLplot scientific plotting software package (plplot.sf.net); the libLASi project (unifont.org/lasi); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
