On a slightly related note: * dist.libuv.org is HTTP-only * tarballs are not GPG-signed[0] So basically there is no integrity check viable for tarballs. I'm particularly interested in the second point. As tags are already signed by whoever cut a specific release, can a detached signature by the same key also be uploaded? [0] https://github.com/joyent/libuv/issues/1177
I plan to work on this shortly. I'm not sure we want to use the tags as releases, since we might want to add more stuff to the release tarballs (the autoconf generated files, for example) so I think I'll go for signing the tarball we generate and uploading the signature as well to dist.libuv.org. Hopefully I can get this done by the next release.
Cheers, -- Saúl Ibarra Corretgé http://bettercallsaghul.com -- You received this message because you are subscribed to the Google Groups "libuv" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/libuv. For more options, visit https://groups.google.com/d/optout.
