Open rmccullagh opened 1 week ago
skvadrik
commented
1 week ago No, they are not signed.
I am wondering if there is a way to verify the GitHub release tar balls.
Well, there is a way -- the build should be reproducible, so you can clone re2c repo, git --reset to the desired release tag and run make distcheck. This will build the tarballs, and then you can compare the hashes with those downloaded from github. It's probably too much effort unless you are a distro maintainer. ;)
pmetzger
commented
6 days ago If the tarballs you use are the ones generated by github and you download them over https:, you're trusting github, but no more than you're trusting them with the storage of the version controlled code in the first place.
skvadrik
commented
6 days ago If the tarballs you use are the ones generated by github and you download them over https:, you're trusting github, but no more than you're trusting them with the storage of the version controlled code in the first place.
Hmm, I think it's easier to change one binary artifact and go unnoticed than it is to change the source code (which is cloned by many people) and still go unnoticed. So I see why signing the binary artifacts may be useful (and hopefully not hard to do). It just never crossed my mind, and this is the first time someone asked.
I am wondering if there is a way to verify the GitHub release tar balls.