[Mageia-dev] Signature verification of sources
Buchan Milne
bgmilne at staff.telkomsa.net
Wed Jan 11 08:58:53 CET 2012
On Tuesday, 10 January 2012 22:23:25 P. Christeas wrote:
> On Tuesday 10 January 2012, Buchan Milne wrote:
> > I think we should be in the position to be able to verify the origin of
> > any software we provide to users.
> > ...
>
> Just a reminder: a git-based build process would implicitly cover that
> aspect, since the comit SHAs would be traceable back to the code
> maintainers.
As far as I understand, it wouldn't necessarily provide a guarantee that the
upstream git was compromised before it was cloned by the package maintainer.
Regards,
Buchan
More information about the Mageia-dev
mailing list