On Wed, Nov 16, 2011 at 10:10:08PM +0100, Guido Trentalancia wrote: > I am an end-user, I know nothing about GNOME infrastructure, I am just > suggesting that the GNOME tarballs are signed by gpg (instead OR in > addition to providing message digests).
I was responding because I hoped you could provide some answers on the difficulties that are involved in this. I am not interested in a "it is possible" as a standard answer. As such, I don't see any benefit in continuing a discussion. I've explained everything already. Seems you still misunderstand why SHA256 is there (not for security!). Further, the existence of openpgp signatures does not indicate at all that tarballs are secure. It only indicates that there are openpgp signatures. Regarding Bugzilla / openness: I've been cc'ing gnome-infrastructure, you have been removing that on each reply. This all said, I am interested in providing those signatures, but only if they give a reasonable guarantee of security. -- Regards, Olav _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
