From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christian Rebischke Subject: Re: signed tarballs Date: Sat, 15 Apr 2017 01:03:18 +0200 Message-ID: <20170414230318.GA22493@motoko> References: <20170406233134.GA32113@motoko> <5856507.yEgrJDtUAW@x2> <6911467.0fbbL1krjI@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3027512007339140577==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D3E1553CEA for ; Fri, 14 Apr 2017 23:03:43 +0000 (UTC) Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0BC597F36F for ; Fri, 14 Apr 2017 23:03:41 +0000 (UTC) In-Reply-To: <6911467.0fbbL1krjI@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============3027512007339140577== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 14, 2017 at 09:38:51AM -0400, Steve Grubb wrote: > As I said in a subsequent email, "we'll go with hashes now and=20 > work up to signing another day." But I really am serious that the biggest= =20 > threat to the project is not some wild eyed MITM attack targeting a whole= =20 > distribution. Its me. I doubt few people truly understand the impact of t= he=20 > bug that Laurent reported and why it moved me to change plans and do a qu= ick=20 > release. (It was not because ausearch was segfaulting.) Again, I call for= more=20 > testing and bug reports. I know they are in the code. I find a couple eve= ry=20 > day or two. Yep, the first factor is the code. But keep in mind that signing tarballs are just 5 minutes of work per release. I see no reason why audit shouldn't do it, all other redhat projects do it too. --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEba97gI+d8lE5YgAA0hRh49/iBg0FAljxVTYACgkQ0hRh49/i Bg18Mw/9GC57ddzSajQOJPM+4wUFt++mqvb/fKt1/K0ulzoj5sRCNItfWEWLP4Xe tsprNgdTZbI4SZOLArkC0OT4/bQ5hJD/1k0+creEFmr/hRZHHAnP7/pCQKKO0490 QaoC3fJtTku98wOGDu2BBxlhKpNgW/2LQz8GxdrhI2dzWQtrFKfptWPKPbQD/pYC kYR8TmPIYhEzQlYkuCdz66v0JA1MMhAjIGeECeHHq3CDkAnjVSMLqwCrHMGJjlGW J+/oW/o+r7c/DMiZ7QhJI+T1/kaHoV7S4LcBJzIpOvdTbsUpz1GySz8mbvpouou7 wfvAeQqDZOH7BlFidWdFxJlyKk2faiNVAYzksHaBCRh54QeszzIykPtRgorPa69g AoIQTCA8mog8leaJF08KohrDaFEyjp+eK7qqotMa1twmzCAWZS8h0UtsmSzaFGQz +3vwmPlFImUOjJLRJv0ka9jPFmfU4f9uClfQlB1cR2e2Ys+Ru9XExA0/VzPJukAn sr/kHZJOQdIKDCakCPvte5UI6fQGQyXorA6r1gU5BUWUN4zkYf0T1QtEzg6z9GNF tZ6ghbOHnvFvPOHXP7YC+PQHTHMyS3CYBYyvVuu1UQ8zxX5U1bBl/YMtChVNsSRO gndmNM9LpHY9e4B+Kz0s5h/gm53aIGx1CK42pigDOKHKGH53jtI= =NAdP -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- --===============3027512007339140577== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3027512007339140577==--