search

mozilla / DeepSpeech

DeepSpeech is an open source embedded (offline, on-device) speech-to-text engine which can run in real time on devices ranging from a Raspberry Pi 4 to high power GPU servers.
Mozilla Public License 2.0
25.33k stars 3.96k forks source link

GPG signatures for source validation #1273

Open NicoHood opened 6 years ago

NicoHood commented 6 years ago

As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of GNU/Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily.

In order to securely package your software I am kindly requesting GPG signatures for the source tarballs. If you are not yet familiar with secure source code signing I recommend using GPGit which automates the process of secure source code signing and also has a quick start guide on GPG for learning how to use it manually.

Thanks in advance.

NicoHood commented 6 years ago

@lissyx Could you please GPG sign the new 0.2 release?

lissyx commented 6 years ago

@NicoHood We have not yet worked on that, sorry.

lissyx commented 6 years ago

FYI we're reusing some Firefox tooling, scriptworker, that is tailored to that purpose, so it's definitively something we will be able to handle.

kdavis-mozilla commented 4 years ago

@lissyx Should we do this for 1.0.0?

lissyx commented 4 years ago

@lissyx Should we do this for 1.0.0?

We could, but we need a proper plan, I'm not sure I can commit to this.

kdavis-mozilla commented 4 years ago

Then decided, it's not in 1.0.0.