Re: ANNOUNCE: libvirt 1.0.5.6 maintenance release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey,

On Wed, Oct 02, 2013 at 08:12:24PM +0200, Guido Günther wrote:
> > It would be very nice if the announce mail included either a sha256
> > checksum for the tarball (thanks Guido for doing that in your recent
> > release!), or a GPG key used to sign the release, see
> > http://lwn.net/Articles/548857/ for more details about this.
> 
> I sign the tag as well as the email so together with the checksums this
> builds the "chain of trust" (given you trust my gpg signature). A
> further improvement would be to build the tarballs first and then add
> the checksums as the commit message of the tag - I'll try to do that
> with the next 0.9.12.x release.

Having the checksum of the tarball in a signed email archived in a totally
different place than the server hosting the actual tarballs is already
very good imo, I'm not sure it's worth complicating the process even
further (but it wouldn't hurt if you do that I guess!)

Christophe

Attachment: pgpIInJe50iFK.pgp
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]