No, I'm just looking for extra confidence when verifying installers. On that note, did Ubuntu require someone to sign packages to distribute packages via apt? Can that be repurposed here?
On 4/2/21 12:26 PM, James Platt wrote: > > Are you bring this up because of the recent rise of dependency confusion > attacks? In any case, it would be good to know where Racket stands with that. > > On Apr 1, 2021, at 12:39 PM, Sage Gerard wrote: > >> Are there any plans to publish GPG signatures for Racket installers, or >> at least upgrade the cryptographic hash function used for the checksums? >> >> If not, who would be a good person to talk to about contributing that? >> >> -- >> ~slg >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/70e8acf9-9993-0e7c-3d10-b7964cc6ed03%40sagegerard.com. > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/8DEE7478-3E76-43EC-8691-AA44D016E764%40biomantica.com. -- ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/3b144b15-e5a1-8139-496d-c1a36e401117%40sagegerard.com.
