Thanks Tielo. Although I do think downloading sources and inspecting them would not only be overkill, but also not a foolproof way of ensuring security. What if the source files are mangled during download?
The only few ways I can think of are 1. to get the binaries and keys/hashes over PGP email from somebody on the inside 2. obtain it over HTTPS on their website 3. using SFTP or 4. by having someone on the inside ship a DVD that contains the binary + public key. I'm trying other avenues (CloudBees, for example) but there do not seem to be any provisions to do this. Thanks, Abhijith On Mon, Jan 13, 2014 at 1:46 AM, teilo <[email protected]> wrote: > > On Sunday, 12 January 2014 22:20:17 UTC, Abhijith Chandrashekar wrote: >> >> > Of course, you'd need a secure way to make sure it's actually his >> signature, but that should be easier than changing the entire distribution >> chain. >> >> That's exactly the problem. Any ideas on how I can do that? >> >> Thanks, >> Abhijith >> > > http://kohsuke.org/about/pgp/ > > But if you are that security paranoid then you should download the > sources, inspect them (and the history) and then compile them yourself > every release (like you do for all the plugins right!?). > > /James > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-users/3O8vpxrWZH8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
