It's rumoured that Rapha�l Enrici once said:Dear Dave,
What did you have in mind, a pgp sig for each file? I don't see that asAs RPM and DEB packages integrates gpg signatures, I just wanted to
a problem for each packager to create.
know if their were a pgp/gpg key global to the pgAdmin team, something
that was used to sign the files of the project like binaries, sources,
etc. I'm ok to sign deb package by myself.
And wanted to know if you used by the past to sign the files ? For
example the source tarball and win32 packages.
No, there is no 'global' key. That would probably be pretty insecure. I would think that a pgp/gpg sig from the packager would suffice - it would at least prove that the file hadn't been tampered. Mind you, it doesn't prevent someone packaging their own version and pretending they are the official packager. Perhaps I should sign everything
IMHO, you should at least sign the tarball you publish as the beta release and all packagers should verify it against your public key before packaging anything and they also should sign their packages with their own keys. May be we also should publish a link to our personnal public keys or the way to get them.
Cheers, Rapha�l
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives?
http://archives.postgresql.org
