On 06/29/2016 14:59, Glen Barber wrote:
If I understand what you mean correctly, that would imply poudriere is responsible for the contents of base.txz, which it is not. I think the better solution (if I understood correctly) is RE needs to PGP-sign the releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include it in the announcement email for the release, as well as on the website.Please correct me if I did misunderstand. This way, poudriere could verify the hash of the file against what it has downloaded, in addition to verifying the PGP fingerprint.
Yes, only MANIFEST should be signed, I made a mistake suggesting that all binaries should be signed.
I don't quite understand the connection between the poudriere run and the announcement email. Could you please elaborate on this? Just downloading something from the website isn't secure either.
Thank you, Yuri _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase To unsubscribe, send any mail to "[email protected]"
