> What you suggest would be perfect but, if I understand it correctly, > it’s far from reality. There’s not a single project I know of that > publishes the list of public keys authorized to sign its tarballs. Even > if they did, we’d need a way to authenticate that list. > I think <https://www.kernel.org/signature.html> has listed all their public keys used to sign their releases. This seems to be quite a neat way of doing things. But you're right that there is no easy way to authenticate that list.
- Re: Checking signatures on source tarballs Ludovic Courtès
- Re: Checking signatures on source tarballs Ludovic Courtès
- Re: Checking signatures on source tarballs Brandon Invergo
- Re: [bug-gsrc] Checking signatures on source tarballs Brandon Invergo
- Re: [bug-gsrc] Checking signatures on source tarballs Ludovic Courtès
- Re: [bug-gsrc] Checking signatures on source tarballs Brandon Invergo
- Re: [bug-gsrc] Checking signatures on source tarballs Ludovic Courtès
- Re: [bug-gsrc] Checking signatures on source tarballs Brandon Invergo
- Re: [bug-gsrc] Checking signatures on source tarballs Ludovic Courtès
- Re: Checking signatures on source tarballs Ludovic Courtès
- Re: Checking signatures on source tarballs Alex Vong
- Re: Checking signatures on source tarballs Mark H Weaver
- Re: Checking signatures on source tarballs Ludovic Courtès
- Re: Checking signatures on source tarballs Rastus Vernon
- Re: Checking signatures on source tarballs Mark H Weaver
- Re: Checking signatures on source tarballs Alex Kost
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-s... Ludovic Courtès
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-s... Alex Kost
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-s... Ian Denhardt
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-s... Alex Kost
- Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-s... Ludovic Courtès
