On Mon, Mar 21, 2016 at 1:15 PM, Michael Witten
In short, I request that the maintainers start publishing cryptographically signed, strong hashes of:
* downloadable files. * git objects (tags, and even commits).
A cryptographic signature should probably be a personal signature of a relevant maintainer (rather than some generic project-level signature for which nobody has a sufficiently strong incentive to maintain the trustworthiness).
Perhaps, each repository should include a collection of relevant public keys, so as to compound trustworthiness and ease dissemination.
------------------------------------------------------------------------
I'm new to this community, so forgive my ignorance if I've missed an existing solution.
What you've missed is that this is an Open Source project. Maintained by a group of rather busy volunteers in the industry. In any case, something must be done; this project sits at the core of much
critical software, and its integrity should be ensured with greater zeal.
Anything that gets done, is done work volunteered by individuals. If you have specific implemented solutions so solve the verification problem please contribute them. Otherwise we will take your comments into consideration and implement as we have time to do so. If you would like pointers as to how the current packaging and build process works we can point you in that direction. -- -- Rene Rivera -- Grafik - Don't Assume Anything -- Robot Dreams - http://robot-dreams.net -- rrivera/acm.org (msn) - grafikrobot/aim,yahoo,skype,efnet,gmail