On Wed, 5 Jul 2017 14:09:47 +0200, David Disseldorp wrote: > Hi, > > On Thu, 9 Feb 2017 21:42:55 -0700, Ken Dreyer wrote: > > > On Thu, Feb 9, 2017 at 1:32 PM, Abhishek L <abhishek@xxxxxxxx> wrote: > > > Since v11.0.0/v10.0.5/v0.94.3, > > >> these tags have not been GPG signed, so downstream consumers have no > > >> reliable way of verifying that the source they have matches the reviewed > > >> and tested upstream release source. > > > > The old ceph.com GPG key had been copied to too many places, including > > some of the Jenkins slaves, which was bad. Today there is a central > > signer box behind a firewall with very restricted access. > > > > I'll talk with Andrew and Alfredo about GPG signing Git tags and > > source tarballs going forward, because I think we can script something > > here to make it easier. I agree that it's important. > > Any updates here? I notice that the Luminous tags are still missing GPG > signatures. My preference would be to have the signing done explicitly > by someone involved in the upstream release, using their own personal > keys, rather than using an automated signer box. Ping, just sending another reminder here. Signed tags would at the very least help users verify their sources in the event of something catastrophic like: https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002 Cheers, David -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
