pvops0 git tree signing?

pvops0 git tree signing?

[Joanna Rutkowska]

[-- Attachment #1.1: Type: text/plain, Size: 476 bytes --]

So, any plans to start signing the pvops kernel commits? I'm really
reluctant to build and sign, and then distribute, an RPM with the
sources fetched from this repo, if I cannot verify they are authentic in
any way. I can easily imagine packagers from other distributions would
think similar.

It's really just a matter of signing Jeremy's key with the "Xen.org
master key" (0x79BAD9D8), and then typing git tag -s after every major
commit, no?

Thanks,
joanna.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: pvops0 git tree signing?

[Konrad Rzeszutek Wilk]

On Tue, Jun 08, 2010 at 01:52:07PM +0200, Joanna Rutkowska wrote:
> So, any plans to start signing the pvops kernel commits? I'm really
> reluctant to build and sign, and then distribute, an RPM with the
> sources fetched from this repo, if I cannot verify they are authentic in
> any way. I can easily imagine packagers from other distributions would
> think similar.
> 
> It's really just a matter of signing Jeremy's key with the "Xen.org
> master key" (0x79BAD9D8), and then typing git tag -s after every major
> commit, no?

I don't know whether we are truly at a release stage yet? (there are
still tons of bugs). Or were you thinking more in terms of whenever
Jeremy merges Greg KH's stable 2.6.32 and then tag it?

Re: pvops0 git tree signing?

[Joanna Rutkowska]

[-- Attachment #1.1: Type: text/plain, Size: 911 bytes --]

On 06/08/2010 03:37 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Jun 08, 2010 at 01:52:07PM +0200, Joanna Rutkowska wrote:
>> So, any plans to start signing the pvops kernel commits? I'm really
>> reluctant to build and sign, and then distribute, an RPM with the
>> sources fetched from this repo, if I cannot verify they are authentic in
>> any way. I can easily imagine packagers from other distributions would
>> think similar.
>>
>> It's really just a matter of signing Jeremy's key with the "Xen.org
>> master key" (0x79BAD9D8), and then typing git tag -s after every major
>> commit, no?
> 
> I don't know whether we are truly at a release stage yet? (there are
> still tons of bugs). Or were you thinking more in terms of whenever
> Jeremy merges Greg KH's stable 2.6.32 and then tag it?
> 

Yeah, whenever there is some bigger commit/merge, it would make sense to
sign it.

joanna.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel