On Thu, Oct 26, 2017 at 12:38 PM, John Cremona <[email protected]> wrote: > On 26 October 2017 at 11:18, Erik Bray <[email protected]> wrote: >> On Thu, Oct 26, 2017 at 11:53 AM, Harald Schilly >> <[email protected]> wrote: >>> Hi, I don't see how https helps with any such attack. What I always pointed >>> out is to use checksums. e.g. the webseed torrent files here >>> http://files.sagemath.org/torrents.html have checksums and what would be >>> missing is to sign them. AFAIK there is no official public/private key for >>> files on sagemath.org, but we could create one and sign files containing >>> checksums. We can also add the fingerprint of the key to the source code. >>> (which makes me wonder if we are maybe already signing the tagged releases >>> in git?) >> >> Yup, this is why I suggested better hashes are almost more important >> here than HTTPS, and yes we should sign them as well--i.e. any time an >> spkg is updated a trusted member of the project should at least be >> verifying the hashes and appending their signature to the checksum. >> That of course still says nothing for the validity of the source >> tarball being signed, but one can only trust that they are valid if >> they came from their original source--alas the chain of trust in this >> case is often flimsy. When I was personally release manager on more >> widely used software I signed every tag and release tarball. No idea >> if we do that... > > Tell me what I should do to sign / certify tarballs for eclib, and I'll do it.
This page has a nice overview of the topic in general (if not TL;DR): https://www.apache.org/dev/release-signing.html The short version is: $ gpg --armor --output foo.tar.gz.asc --detach-sign foo.tar.gz When tagging a release in git you can also sign the tag simply by using `git tag -s`. This assumes you already have a gpg key. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
