On Tue, Jun 16, 2015 at 12:42 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > Then this fix doesn't make any sense -- you are saying if I download > > the .tar.gz and .zip and extract those two, I will have precisely the > > same sources? > > Should be the same sources. We shouldn't distribute anything that isn't > under the respective tag as official sources, so I assume they are. > Making them part of the distro may not be a bad idea too, this way they > can be signed. Of course, signing one more file is 33 to 50% more work, > but I think RMs can deal with it. > > about signing, recently I got a question that somebody couldn't verify the tarball signature, because he was trying to verify the extracted contents instead of the compressed file. he was trying to do that, because that is how the kernel.org releases are signed: https://www.kernel.org/signature.html#using-gnupg-to-verify-kernel-signatures and they do that because that way you only need one signature for a given release regardless of the number of compression formats you provide. maybe this is something what we should consider also. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
