Dave Airlie <airl...@gmail.com> writes: > There should be a reason for doing 2, btw just stating I'd like to do > this doesn't give us any advantages over what we have now. Whats the > point, stopping hackers? etc.
If md5sums are to be used to verify that the release tar files have not been modified, then users need a way to ensure that the md5sums are valid. If users are only obtaining the md5sums from web pages or mailman archives hosted on the same server as the tar files, then an attacker that substitutes an alternate tar file can also substitute alternate md5sums in the archives of the release email. > GPG signing tags is now being used sometimes in the kernel world, > though really unless a developer has a gpg key that is trusted by > other devs, and hence has met up with other devs to ensure that, gpg > signing isn't gaining much. Even without personally meeting the developer, one can, for example, watch a sequence of releases where the release notes have all been signed by the same developer. Then you can trust subsequent releases as much as you trust previous releases. For example, I'll be doing the stable releases going forward, and I'll send out release-announcement email messages (containing MD5 sums) that are signed with the same key I'm using to sign the current message. Everyone on this list should have received some number of messages from me in the past all signed with the same key, (that's why I have my email client configured to sign all outgoing messages by default). I have also met with several developers and co-signed each others keys. And I'd be willing to do more of that in the future if that would be helpful. Let me know what else you'd like to see from the release manager. -Carl -- carl.d.wo...@intel.com
pgpqB7nmiQ6UA.pgp
Description: PGP signature
_______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
