Issue #1777 has been updated by James Turnbull. Assigned to changed from Luke Kanies to James Turnbull Target version changed from Rowlf to 0.25.2
---------------------------------------- Feature #1777: Please provide cryptographically authenticated package downloads http://projects.reductivelabs.com/issues/1777 Author: micah - Status: Accepted Priority: High Assigned to: James Turnbull Category: plumbing Target version: 0.25.2 Affected version: 0.24.6 Keywords: Branch: The "DownloadingPuppet":http://reductivelabs.com/trac/puppet/wiki/DownloadingPuppet page provides the release tarballs for puppet. These should be accompanied by a cryptographic authentication mechanism for verifying the source integrity. Preferably by providing detached OpenPGP signatures of the release tarball (like the linux kernel "provides":http://kernel.org/signature.html), or by providing a cryptographic hash verification. Without this, there is no way to ensure that any given tarball, or file on this page, is a legitimate uncompromised copy of the source that the puppet project is releasing. All it takes is for someone to compromise a development host, and upload a modified tarball release to effectively compromise a very large segment of managed infrastructure that depends on puppet. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
