On Thu, Apr 6, 2017 at 7:31 PM, Christian Rebischke <[email protected]> wrote: > Hello, > I am the maintainer of 'audit' in the official Arch Linux Repositories. > Is there a reason why you don't provide a signature file for the > releases nor a checksum or am I just stupid and can't find it on your > website: https://people.redhat.com/sgrubb/audit/ ?
Steve seems to be posting audit userspace releases both on his Red Hat people page and on GitHub; I'm not sure which he considers to be the "authoritative" release, he'll have to answer that. https://github.com/linux-audit/audit-userspace/releases As far as checksum'd and signed releases, someone from the Debian camp recently requested detached signatures for libseccomp and provided the documentation below (it's a short and well done doc). While libseccomp had been signing releases for years, we were using a combined (?) approach, it was relatively easy to add the detached signature. https://wiki.debian.org/Creating%20signed%20GitHub%20releases In case anyone is interested, here is an example of what we now provide for a libseccomp release: https://github.com/seccomp/libseccomp/releases/tag/v2.3.2 ... and the libseccomp release process is documented here: https://github.com/seccomp/libseccomp/blob/master/RELEASE_PROCESS.md -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
