On 7/29/19 5:52 PM, Clark Boylan wrote:
On Mon, Jul 29, 2019, at 1:52 PM, James E. Blair wrote:
Hi,
A colleague at Red Hat is working on an effort to record signatures of
release artifacts. Essentially it's a way to help users verify release
artifacts (or determine if they have been changed)
Jeremy Stanley wrote:
[...]
For artifacts we upload to third-party services like PyPI and Docker
Hub on the other hand, assuming I've digested (pun intended) the
relevant literature correctly, it might make more sense for the
maintainers of those services to do something similar as they tend
to p
On 2019-07-29 13:52:20 -0700 (-0700), James E. Blair wrote:
> A colleague at Red Hat is working on an effort to record signatures of
> release artifacts. Essentially it's a way to help users verify release
> artifacts (or determine if they have been changed) independent of PGP
> signatures. You c
On Mon, Jul 29, 2019, at 1:52 PM, James E. Blair wrote:
> Hi,
>
> A colleague at Red Hat is working on an effort to record signatures of
> release artifacts. Essentially it's a way to help users verify release
> artifacts (or determine if they have been changed) independent of PGP
> signatures.
Hi,
A colleague at Red Hat is working on an effort to record signatures of
release artifacts. Essentially it's a way to help users verify release
artifacts (or determine if they have been changed) independent of PGP
signatures. You can read about it here:
https://github.com/merklecounty/rget#rge