From mboxrd@z Thu Jan  1 00:00:00 1970
From: William Roberts <bill.c.roberts@gmail.com>
Subject: Re: signed tarballs
Date: Fri, 7 Apr 2017 16:52:57 -0700
Message-ID: <CAFftDdobcW4PKP+c4A=72YecbtG5YZS4ZdKX_bt14oarJfjJGg@mail.gmail.com>
References: <20170406233134.GA32113@motoko>
	<CAFftDdqswpRAF1jEgkppfHwiMc4gErAz-8vkASpBJ63DVeu_+A@mail.gmail.com>
	<20170407234124.GA11400@motoko>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3081539733073534703=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com
	[10.5.110.25])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 3EE947F439
	for <linux-audit@redhat.com>; Fri,  7 Apr 2017 23:52:59 +0000 (UTC)
Received: from mail-oi0-f44.google.com (mail-oi0-f44.google.com
	[209.85.218.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 596D17AEA7
	for <linux-audit@redhat.com>; Fri,  7 Apr 2017 23:52:58 +0000 (UTC)
Received: by mail-oi0-f44.google.com with SMTP id f193so102292332oib.2
	for <linux-audit@redhat.com>; Fri, 07 Apr 2017 16:52:58 -0700 (PDT)
In-Reply-To: <20170407234124.GA11400@motoko>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Christian Rebischke <Chris.Rebischke@archlinux.org>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============3081539733073534703==
Content-Type: multipart/alternative; boundary=94eb2c1928482f7863054c9c53d4

--94eb2c1928482f7863054c9c53d4
Content-Type: text/plain; charset=UTF-8

On Apr 7, 2017 4:41 PM, "Christian Rebischke" <Chris.Rebischke@archlinux.org>
wrote:

On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote:
> Why not just checkout the release with git?

Because this wouldn't solve the problem or do you use signed commits in
your linux-audit git repository?


As long as you use a secure protocol and trust his repo signing the tags
doesn't give you all that much.

And even if you use signed commits I
really would appreciate if you would sign the tarball and provide a hash
for it on the release page. This would increase security a lot.


Yes agreed there, at least HTTPS connections are available.


cheers,
chris

--94eb2c1928482f7863054c9c53d4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><br><div class=3D"gmail_extra"><br><div class=3D"gma=
il_quote">On Apr 7, 2017 4:41 PM, &quot;Christian Rebischke&quot; &lt;<a hr=
ef=3D"mailto:Chris.Rebischke@archlinux.org">Chris.Rebischke@archlinux.org</=
a>&gt; wrote:<br type=3D"attribution"><blockquote class=3D"quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=
=3D"quoted-text">On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts =
wrote:<br>
&gt; Why not just checkout the release with git?<br>
<br>
</div>Because this wouldn&#39;t solve the problem or do you use signed comm=
its in<br>
your linux-audit git repository?</blockquote></div></div></div><div dir=3D"=
auto"><br></div><div dir=3D"auto">As long as you use a secure protocol and =
trust his repo signing the tags doesn&#39;t give you all that much.</div><d=
iv dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_extra"><div=
 class=3D"gmail_quote"><blockquote class=3D"quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex">And even if you use signed =
commits I<br>
really would appreciate if you would sign the tarball and provide a hash<br=
>
for it on the release page. This would increase security a lot.<br></blockq=
uote></div></div></div><div dir=3D"auto"><br></div><div dir=3D"auto">Yes ag=
reed there, at least HTTPS connections are available.</div><div dir=3D"auto=
"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><blockquote class=
=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
<br>
cheers,<br>
chris<br>
</blockquote></div><br></div></div></div>

--94eb2c1928482f7863054c9c53d4--


--===============3081539733073534703==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3081539733073534703==--