-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any reason why tarball releases are not cryptographically signed? #789
Comments
Hi - it's mostly laziness. The SourceForge release process was a bit clunky with me making a .deb and .tar.gz and then emailing that to cboltz who did something with RPM files, and then somehow that all magically got on sourceforge .... Github is a lot easier in that respect (push a tag, go to create a new release and that's it). Anyway, it is possible to attach a gpg signature file etc to the github release - which would do what I think you're asking. I suspect I'll need to swot up on how to do gpg signing again! |
I have not updated my little local instance since the migration from Sourceforge to Github and I wonder: why are we supposed to simply trust the released tarballs on Github, as if Github is not hackable? back in the days,
between
$ wget -O postfixadmin.tgz https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.13.tar.gz
and
one would get the publishing developer's public key and verify the signature:
skipping on this looks like a regression to me?
The text was updated successfully, but these errors were encountered: