On Thu, Jan 21, 2010 at 12:25:08AM -0500, grarpamp wrote: > It would be easier to just sign the git revision hashes at various intervals. > Such as explicitly including the revision hash that each release is > made from in the release docs itself. And then signing that release. > That way everyone... git repo maintainers, devels, mirrors, users... > can all verify the git repo via that signature. Of course the sig key material > needs to be handled in a sanitary way, but still, it's the idea that matters. > And git, not svn, would need to be the canonical repo committers commit > to, etc. > > Thanks for Tor.
We do sign the git repository for each release (stable and development). Do a git clone of Tor, and then 'git tag -l'. Saying the git hash of the release in the release notes is not a crazy notion though. --Roger *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
