[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-gsrc] Re: signatures on release tarballs?
From: |
Ray Wang |
Subject: |
[bug-gsrc] Re: signatures on release tarballs? |
Date: |
Tue, 30 Mar 2010 11:11:14 +0800 |
On Mon, Mar 29, 2010 at 10:49 PM, Sandy Armstrong
<address@hidden> wrote:
> On Mon, Mar 29, 2010 at 7:19 AM, Brian Gough <address@hidden> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I have a question regarding the release tarballs on ftp.gnome.org.
>> As far as I can tell, these are not gpg-signed. Is that correct?
>>
>> Are signatures available anywhere else or is there any alternative way
>> to check them?
>>
>> I'm working on a collected release of all GNU software packages and
>> we'd like to verify everything that goes in it. Thanks.
>
> When we generate tarballs, we also generate their sha256sum. Is that
> sufficient? For example:
>
> http://download.gnome.org/sources/tomboy/1.1/tomboy-1.1.4.sha256sum
The hash files probably need to be signed by gpg or something like that. :)
> Sandy
> _______________________________________________
> gnome-infrastructure mailing list
> address@hidden
> http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
>
--
Ray Wang
- Free As In Freedom