Hi Sean, On 15.07.19 19:02, Sean Whitton wrote: > On Mon 15 Jul 2019 at 01:16PM +02, Michael Kesper wrote: > >> Nonetheless it seems to me you are moving from trusting local signing >> to trusting upload by salsa, thereby making salsa more attractive for >> attackers. > > I don't follow -- the git tag is PGP-signed, locally, by the uploader. > Just like how they would PGP-sign, locally, the .dsc and .changes.
Ah ok, sorry, this wasn't clear to me. Michael
signature.asc
Description: OpenPGP digital signature