Re: Verifying libvirt release tarballs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 11, 2014 at 11:40:11PM +0200, Richard Weinberger wrote:
> Hi!
> 
> How can I cryptographically verify libvirt releases?
> There are no signature/hash files in http://libvirt.org/sources/.
> 
> All I see is that your git release tags are PGP signed.
> So, anyone who cares has to ignore everything in http://libvirt.org/sources/
> and needs to regenerate the tarball from git.
> Or do I miss something?

Yeah, re-generate tarball from git doesn't really fly because it contains
auto-generated autoconf stuff that will never give you the exact matching
content without huge amounts of trouble.

I wonder if DV would be willing to generate sigs during release. It is
merely a case of running 'gpg --armour --detach libvirt-x.y.z.tar.gz'
and then uploading the .asc file to libvirt.org too. Likewise for the
python binding tar.gz - pypi would like if we uploaded a .sig file

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]