Hi, On Thu, 9 Feb 2017 21:42:55 -0700, Ken Dreyer wrote: > On Thu, Feb 9, 2017 at 1:32 PM, Abhishek L <abhishek@xxxxxxxx> wrote: > > Since v11.0.0/v10.0.5/v0.94.3, > >> these tags have not been GPG signed, so downstream consumers have no > >> reliable way of verifying that the source they have matches the reviewed > >> and tested upstream release source. > > The old ceph.com GPG key had been copied to too many places, including > some of the Jenkins slaves, which was bad. Today there is a central > signer box behind a firewall with very restricted access. > > I'll talk with Andrew and Alfredo about GPG signing Git tags and > source tarballs going forward, because I think we can script something > here to make it easier. I agree that it's important. Any updates here? I notice that the Luminous tags are still missing GPG signatures. My preference would be to have the signing done explicitly by someone involved in the upstream release, using their own personal keys, rather than using an automated signer box. Cheers, David -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
