* GPG signed release tarballs
@ 2016-05-24 9:52 Martin Steigerwald
2016-05-24 15:22 ` Jens Axboe
0 siblings, 1 reply; 2+ messages in thread
From: Martin Steigerwald @ 2016-05-24 9:52 UTC (permalink / raw)
To: fio; +Cc: Jens Axboe
Hi Jens!
I wonder about a way to retrieve the source after checking upstream gpg
signature. Do you provide those somewhere?
I don´t see any on: http://brick.kernel.dk/snaps/ where I usually go for
getting new upstream release tarball.
N: Processing source package fio (version 2.10-1, arch source) ...
P: fio source: debian-watch-may-check-gpg-signature
N:
N: This watch file does not include a means to verify the upstream tarball
N: using cryptographic signature.
N:
N: If upstream distributions provide such signatures, please use the
N: pgpsigurlmangle options in this watch file's opts= to generate the URL
N: of an upstream GPG signature. This signature is automatically downloaded
N: and verified against a keyring stored in
N: debian/upstream/signing-key.asc.
N:
N: Of course, not all upstreams provide such signatures, but you could
N: request them as a way of verifying that no third party has modified the
N: code against their wishes after the release. Projects such as
N: phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N: attack.
N:
N: Refer to the uscan(1) manual page for details.
N:
N: Severity: pedantic, Certainty: certain
N:
N: Check: watch-file, Type: source
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-24 15:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-24 9:52 GPG signed release tarballs Martin Steigerwald
2016-05-24 15:22 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox