Hi, I'm working on some software[0] that includes things built with CMake.
The process for building our project is semi-automated and to fully automate it, we'd love to be able to verify your package releases. As it stands, we can't verify that the software on your website is correctly downloaded. It lacks even SHA1 or MD5 checksums. However, such checksums are useful within a limited scope. Checksums can help detect download errors but are not useful to prevent any sort of skilled tampering by a dedicated attacker. It's important to us that we're able to use CMake without having to worry that it was tampered with. We feel that this is important to our users as it creates a good chain of trust for the software we use. Specifically, it would be great if the CMake developer team would use GnuPG or PGP to sign current as well as future CMake releases. I could have totally missed it but I don't believe this has been done. Am I mistaken? Does this seem like something that the CMake team may implement? Best regards, Jacob Appelbaum [0] http://torbrowser.torproject.org/ _______________________________________________ CMake mailing list [email protected] http://www.cmake.org/mailman/listinfo/cmake
