Typositoire
commented
6 years ago That'd be nice indeed. You don't want fake packages to go leak all your secrets xD
Open avanier opened 6 years ago
Typositoire
commented
6 years ago That'd be nice indeed. You don't want fake packages to go leak all your secrets xD
Caiyeon
commented
6 years ago Yes, I have thought about signed releases and will likely do this in the future. Although, I'm not sure how far in the future. It probably won't be in the next release.
A signed package does not guarantee the source code from which it is compiled.
But the concern is valid. I, too, am paranoid, and would expect signed releases in the future.
Would it be possible to have signed binary releases? Right now, if I want to get binaries that I know represent the code available at a given version, I have to pull from GitHub and compile the code myself.
GPG FTW.