-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPG signatures for source validation #54
Comments
Where can we find the digital signatures? I could still not find any, do you upload this package somewhere else too? |
I will not sign code I cannot vouch for. I'll reconsider this once OWS starts signing their code, which I have to include in my source archives. |
What? You are the publisher. Signing only helps to verify that the code does not get modified between your, github and the end consumer. It does not give the user any warrenty, unless your license does, which is not the case. So why not help improving the security of the packaging of your security? You are a wise man, you implemented omemo for pidgin, please rethink your decision. Thanks. |
This plugin is just glue code, the main work is done in the submodules, which include libsignal-protocol-c that does most of the crypto. As long as not all the parts are signed, especially the most critical part, I think this is worthless and I'm not willing to deal with PGP for that. |
Imagine someone else wants to include this project in another project. But he will refuse to sign his project, because your project was also not signed. Then nobody would sign any code. Your choice. And beside this it is also a shame that the signal guys dont sign their code. Even more important than this pidgin addon. |
As we all know, today more than ever before, it is crucial to be able to trust
our computing environments. One of the main difficulties that package
maintainers of Linux distributions face, is the difficulty to verify the
authenticity and the integrity of the source code.
The Arch Linux team would appreciate it if you would provide us GPG signatures
in order to verify easily and quickly your source code releases.
Overview of the required tasks:
GPGit is meant to bring GPG to the masses.
It is not only a shell script that automates the process of creating new signed
git releases with GPG but also comes with this step-by-step readme guide for
learning how to use GPG.
Additional Information:
Thanks in advance.
The text was updated successfully, but these errors were encountered: