On 25.10.2016 19:30, Daniel Shahaf wrote: > When we do a security release, we upload a *.txt advisory to > https://subversion.apache.org/security/ and link it from the > announcement. That advisory isn't currently signed. Could we sign > them? > > That'd be useful, since they contain patches. They are already signed > in the "embargoed pre-notification" emails, IIRC; just not when they're > uploaded to the site.
Should be moderately easy to do by tweaking tools/dist/advisory.py. If we do this, I'd argue for making the files ASCII-armored PGP, not keeping signatures separate. -- Brane
