> On 10/04/14 13:06, Joe Patterson wrote:
> > Not so much a "confidentiality" benefit as an "integrity" benefit,
> > to make sure you really are getting your software from who you
> > think you're getting it from.
>
> The only way to truly get that confirmation is by using the signature
> files, or other signature mechanism (preferably via another channel)
>
> Samuli: Maybe our release announcements should be PGP signed, with
> sha256sums of the files we're releasing? And maybe we should consider
> a possibility to host at least a copy of the PGP signatures of our
> files on an external server too? (That should *not* be a mirrored
> setup, but somehow distributed outside of a public HTTP{,S})
>
> <paranoid mode="off"/>
>
What if we'd put the sha256sums to Git? That would be distributed, so
any meddling could be detected easily.
Samuli
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
