On Apr 7, 2017 4:41 PM, "Christian Rebischke" <[email protected]> wrote:
On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote: > Why not just checkout the release with git? Because this wouldn't solve the problem or do you use signed commits in your linux-audit git repository? As long as you use a secure protocol and trust his repo signing the tags doesn't give you all that much. And even if you use signed commits I really would appreciate if you would sign the tarball and provide a hash for it on the release page. This would increase security a lot. Yes agreed there, at least HTTPS connections are available. cheers, chris
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
