New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please provide .asc sign key for release tarball #123

Open
kartikm opened this Issue Apr 30, 2014 · 3 comments

Comments

Projects
None yet
2 participants
@kartikm
Contributor

kartikm commented Apr 30, 2014

from our dear friend Lintian in Debian,

This watch file does not include a means to verify the upstream tarball
using cryptographic signature.

If upstream distributions provide such signatures, please use the
pgpsigurlmangle options in this watch file's opts= to generate the URL
of an upstream GPG signature. This signature is automatically downloaded
and verified against a keyring stored in
debian/upstream-signing-key.asc.
Of course, not all upstreams provide such signatures, but you could
request them as a way of verifying that no third party has modified the
code against their wishes after the release. Projects such as
phpmyadmin, unrealircd, and proftpd have suffered from this kind of
attack.
@tklauser

This comment has been minimized.

Show comment
Hide comment
@tklauser

tklauser May 1, 2014

Contributor

Since release 0.5.8-rc3 there are signatures (netsniff-ng_.tar._.sign) for each tarball at http://pub.netsniff-ng.org/netsniff-ng

Or do they need a different file ending (.asc?) to be picked up by lintian?

Contributor

tklauser commented May 1, 2014

Since release 0.5.8-rc3 there are signatures (netsniff-ng_.tar._.sign) for each tarball at http://pub.netsniff-ng.org/netsniff-ng

Or do they need a different file ending (.asc?) to be picked up by lintian?

@kartikm

This comment has been minimized.

Show comment
Hide comment
@kartikm

kartikm May 1, 2014

Contributor

Thanks! I'll check and update here in a day/or two.

Contributor

kartikm commented May 1, 2014

Thanks! I'll check and update here in a day/or two.

@tklauser tklauser self-assigned this May 5, 2014

@tklauser tklauser added the NEEDINFO label May 26, 2014

@tklauser tklauser added the debian label Apr 17, 2016

@tklauser

This comment has been minimized.

Show comment
Hide comment
@tklauser

tklauser Apr 17, 2016

Contributor

@kartikm Any news here? The .sign files are on http://pub.netsniff-ng.org/netsniff-ng/ for every release since 0.5.8-rc3. Let me know if you want the file names change in order for them to get picked up by linitian. Thanks!

Contributor

tklauser commented Apr 17, 2016

@kartikm Any news here? The .sign files are on http://pub.netsniff-ng.org/netsniff-ng/ for every release since 0.5.8-rc3. Let me know if you want the file names change in order for them to get picked up by linitian. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment