On Thu, Feb 9, 2017 at 1:32 PM, Abhishek L <abhishek@xxxxxxxx> wrote: > Since v11.0.0/v10.0.5/v0.94.3, >> these tags have not been GPG signed, so downstream consumers have no >> reliable way of verifying that the source they have matches the reviewed >> and tested upstream release source. The old ceph.com GPG key had been copied to too many places, including some of the Jenkins slaves, which was bad. Today there is a central signer box behind a firewall with very restricted access. I'll talk with Andrew and Alfredo about GPG signing Git tags and source tarballs going forward, because I think we can script something here to make it easier. I agree that it's important. - Ken -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
