Open kretcheu opened 3 years ago
Tags are signed, so if you want verified sources I suggest you check out the repo. It'd be neat if GitHub would sign the tarballs they provide, but it looks like they don't. I'm not planning to publish my own tarballs. Does that work for you?
Hi, It's not mandatory, but it is a good practice.
On Debian packaging, build "robots" get tarball signed and verify signature.
There are a guide here: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
Thanks.
I think if you want to 'verify whether what they received matches the same tarball you have released' I'd recommend you check out the tag from git and verify the signature on the tag, rather than getting the tarball. Signing both the tag and the tarball just provides opportunity for the two to get out of sync...
Thanks Raboof,
for my particular use it's ok, works fine. However when I maintain nethogs on Debian archive the procedure normally is like I sent to you.
I don't know if using this method is possible for Debian "robots" to do the same. I will search about it.
Did you have any difficulty doing something like that article? I think we can find out how to solve it.
Thanks for your work.
[]'s kretcheu :x
Hi,
should you sign tarball of 0.8.6 release.
Thanks.