RPM files should be signed according to yum and zypper standards, DEB files should be signed according to apt and juju standards.
For tarballs, there is no standard. I suggest they should be signed via files in the same directory as the tarballs themselves are published, as this has been the Apache norm for www.apache.org/dist/. What do you think? --Matt On Fri, Feb 24, 2012 at 6:14 PM, Daniel Shahaf <[email protected]>wrote: > Roman Shaposhnik wrote on Fri, Feb 24, 2012 at 17:40:12 -0800: > > On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <[email protected]> wrote: > > >> 2. The items with "missing sigs" mentioned in the checker page > > >> belong to some package repo you publish. It is clear that, > > >> according to the rules, these packages must be signed, or > > >> removed. > > >> > > >> Regards, > > >> > > >> HPP > > >> > > > > > > Sure, since Roman was the release manager I guess he will have to sign > > > every single file. > > > I just opened the following ticket: > > > https://issues.apache.org/jira/browse/BIGTOP-421 > > > > I'm totally willing to make repositories signed. However, that won't > stop the > > script from complaining. > > > > Will it be possible to satisfy apache infra requirements with signed > > apt/yum/zypper repos? > > Yes. The point is that releases must be cryptographically signed and > verifiable. Signing the .asc files in the apt trees DOES NOT guarantee > that. Signing the releases in the method specific to apt trees does. > > Follow the policy, not the scripts that implement it. > > > Linux distributions have been using this > > mechanism to guarantee > > authenticity of distributed artifacts for at least 7 years by now and > I'm pretty > > sure it has passed the test of time as far as infosec policies are > concerned. > > > > Henk, what's your take on this? > > > > Thanks, > > Roman. >
