It's usually not feasible for the group responsible for signing binaries to also build the binary. It should be secure enough to scp the bits somewhere along with a sha/md5 checksum file.
On Aug 16, 2012, at 3:13 PM, Om wrote: > I agree with Carol. When a release manager signs a binary, they are > implicitly guaranteeing that what is in the binary was really built from > the sources. If they did not create the binary themselves, how can they > verify what exactly went into the binary.
