On Mon, Mar 29, 2010 at 10:49 PM, Sandy Armstrong <[email protected]> wrote: > On Mon, Mar 29, 2010 at 7:19 AM, Brian Gough <[email protected]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have a question regarding the release tarballs on ftp.gnome.org. >> As far as I can tell, these are not gpg-signed. Is that correct? >> >> Are signatures available anywhere else or is there any alternative way >> to check them? >> >> I'm working on a collected release of all GNU software packages and >> we'd like to verify everything that goes in it. Thanks. > > When we generate tarballs, we also generate their sha256sum. Is that > sufficient? For example: > > http://download.gnome.org/sources/tomboy/1.1/tomboy-1.1.4.sha256sum
The hash files probably need to be signed by gpg or something like that. :) > Sandy > _______________________________________________ > gnome-infrastructure mailing list > [email protected] > http://mail.gnome.org/mailman/listinfo/gnome-infrastructure > -- Ray Wang - Free As In Freedom _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
