savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] Detached signatures for source files

From: Laurence Finston
Subject: Re: [Savannah-hackers] Detached signatures for source files
Date: Mon, 27 Sep 2004 15:04:22 +0200 (MEST) 
Thanks for the explanation.  I don't completely understand the issues
involved yet.

On Mon, 27 Sep 2004, Brian Gough wrote:

>
> To protect against this it is necessary to include metadata such as
> the version number, tag and hash of the prior version in the signature
> so that there is an audit trail from one version to the next.  One way
> is to use the --set-notation option in GPG to add this information.

I'll look this up.

>
> If you are signing tar.gz files then it's less of an issue since they
> would have the version number embedded in the tarfile directory name.
>

Actually, I'm using a single "version" number for my development versions.
They are all version 1.2.0.0.  When I release an official version it will
be 1.2.0.1 or 1.2.1.  The tarballs are all called `3DLDFsnp.tar.gz' so
that I can just commit a new version rather than filling up the repository
with obsolete tarballs.  So if I understand you correctly, they
are also subject to metadata attacks.

Laurence
reply via email to
[Prev in Thread] Current Thread [Next in Thread]