Mathieu Roy writes:
>
> To improve security, there will be automated verification of GPG signed files
> contained in projects download areas soon.
>
> Projects will not be forced to sign their files, indeed, but encouraged to do
> so. Signed files that could not be verified will be moved in subdirectories
> named /maybe-corrupted.
>
> This automated check is not in production yet since it appears that several
> projects have GPG signed files that cannot be verified because their project
> members have not registered their GPG key through Savane yet.
>
If one could type her/his name in the Savane GPG registration
box and ask for the matching public key to be retreived from a public
server, it would probably help a bit.
Better yet, the ID of keys of the signed files in the download
area could be matched against the names of the developers of the project
and be automatically proposed for registration in Savane.
It is easy to have ideas when you have no time to implement them ;-)
Very good initiative Mathieu, congrats.
--
Loic Dachary, 12 bd Magenta, 75010 Paris. Tel: 33 8 71 18 43 38
http://www.fsffrance.org/ http://www.dachary.org/loic/gpg.txt
_______________________________________________
Project mailing list
[email protected]
http://mail.gna.org:8080/listinfo/project
