On 2/3/17 8:51pm, Andrus Adamchik wrote: > > >> On Mar 2, 2017, at 11:55 AM, Aristedes Maniatis <a...@maniatis.org> wrote: >> >> Would it help if we set up a Jenkins job to create the build artifacts then >> we have an easier to verify chain from source checkout to artifact creation? > > It most certainly will. How do we sign the files though?
There can still be a step of downloading the files from jenkins, signing and uploading. md5 hashes are still there for verifying the Jenkins output is intact. I'm not sure how we verify that Jenkins itself isn't compromised, but perhaps we can ask what others do. Ari -- --------------------------> Aristedes Maniatis GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
