Hi Heinrich, On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt <heinrich.schucha...@canonical.com> wrote: > > Downloading binaries and executing without checking the authenticity is > at least unwise. > > When binman downloads GCC it should also download and verify the GPG > signatures. > > Additionally binman could hold a list of the SHA256 hashes of all > binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem, or just come up with this idea? You could try the new issue tracker! Regards, Simon