Am 28.08.2014 09:14, schrieb Daniel Veillard: > On Wed, Aug 27, 2014 at 08:45:29PM +0200, Richard Weinberger wrote: >> On Wed, Aug 27, 2014 at 9:18 AM, Daniel Veillard <veillard@xxxxxxxxxx> wrote: >>> So I tagged 1.2.8-rc1 in git and made tarball and signed rpms >> >> Can you please sign the tarball too? > > Well, the source rpm is signed, you can check it and it contains the > tarball, so technically there is already a signed source out there. > Signing a tarballl means putting out an additional file and keeping > it forever, I could do that but hum .... So everyone how wants to build libvirt from source and cares about data integrity has to unpack/verify the rpm? Come on... :-) Signing tarballs is nothing new nor rocket science. In times where the NSA tries to f*ck everyone at least some basic cryptographic arrangements should be applied. I know other projects are sloppy regarding signed releases too, this does not mean that libvirt should follow their bad example. Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list