From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christian Rebischke <Chris.Rebischke@archlinux.org>
Subject: Re: signed tarballs
Date: Sat, 8 Apr 2017 01:41:25 +0200
Message-ID: <20170407234124.GA11400@motoko>
References: <20170406233134.GA32113@motoko>
	<CAFftDdqswpRAF1jEgkppfHwiMc4gErAz-8vkASpBJ63DVeu_+A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3271124538007430464=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com
	[10.5.110.26])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id F09E783884
	for <linux-audit@redhat.com>; Fri,  7 Apr 2017 23:41:36 +0000 (UTC)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.142])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 9221C7D0C6
	for <linux-audit@redhat.com>; Fri,  7 Apr 2017 23:41:33 +0000 (UTC)
In-Reply-To: <CAFftDdqswpRAF1jEgkppfHwiMc4gErAz-8vkASpBJ63DVeu_+A@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: William Roberts <bill.c.roberts@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============3271124538007430464==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm"
Content-Disposition: inline


--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote:
> Why not just checkout the release with git?

Because this wouldn't solve the problem or do you use signed commits in
your linux-audit git repository? And even if you use signed commits I
really would appreciate if you would sign the tarball and provide a hash
for it on the release page. This would increase security a lot.

cheers,
chris

--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEba97gI+d8lE5YgAA0hRh49/iBg0FAljoI6QACgkQ0hRh49/i
Bg2EZQ/6AmbqTv4cyhZ2N+UraQyaSQVxIXw08xkRqdbDJIcWdY2MPZHs64z2DTLH
GPEN013ywlNIrzdwn3mworsjWZ0LIw2q966CEK/31xyLMQxDCLzWUqmCTs/N5xT4
SpUGjZKwlXYQSou7/8WO3N5j0vzPIM6AGdlYu6R0LgA9jFLelZkQIn5C7IeAJzvo
TyShSJOZUlsUHzJkoINJpe1laznsvxKGhGT4C+5gCn7nIZMu0hYga/JbduFlsgnA
gLqVkoJFeIzLGJaT6yjq3IWmrC8cA8Lci/qyHvpyNxgJ7MOgLKQixSAC55i47K00
pH+VMHMZm/6mLH8kmS+0YfD5B9zcjxjaEc2B2wj+dYiBZ4ETdYS59vVFSsm2pN7c
vJExg72b7fC7PleoSjNDKeZMV6tRYJRoWQrUalI3UtCk1vZJcnsvWvPk8MpWysYQ
5EMyTECOUE2v3gw0NMuJl+iNTlm4AHlGhP1IkeES/VHyFw8Ww0b8k19OaByWSQlI
LFbOV9wq6SxtMhNnMLF0oY7TCBEQsXEsxjuvTaHamslxiKvXGLgTo9MMphYcwQNi
QwfORwecCPgzAxQC/lnGKt+gHJw7EGoxzc9miMogtCt1F+xp0uDQCFW2ZEI/tqih
Igvr/a0RWQzJMFQ1rDtWGwO8f1db7dPeAMZulVJwgfqrroChORo=
=gFyl
-----END PGP SIGNATURE-----

--uAKRQypu60I7Lcqm--


--===============3271124538007430464==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3271124538007430464==--