On Fri, 2016-08-26 at 12:05 +0200, Alexander Larsson wrote: > On fre, 2016-08-26 at 05:02 -0500, Michael Catanzaro wrote: > > > > Clone via https:// rather than using git:// > Does git verify signatures for this? That avoids the MITM attack i > guess. > > Still, I would like us to eventually have a setup where every stable > release of every gnome module has a GPG signed commit, put there by > the > release team. Then we could make sure that the binaries for stable > builds are the proper releases.
Don't all maintainers already use signed tags for releases? Do we not trust individual maintainers' keys? And if not, how does the release team verify that what they're signing is correct? Isn't that just shuffling potential vulnerabilities around? Sorry for the stream of annoying questions. Here's a non-question to balance out the email: This is all awesome. Keep up the good work. -- Shaun _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
