[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
tmz at pobox.com
Mon Mar 9 23:42:48 CET 2015
Jason A. Donenfeld wrote:
> On Mar 8, 2015 12:35 AM, "Todd Zullinger" <tmz at pobox.com> wrote:
>> But while we're on the subject, are there PGP signatures available
>> for the cgit tarballs themselves?
> I include a sha256 of the tarball in the announcement emails. Those
> emails are pgp signed. My pgp key is embedded in the repo, as well,
> and it's verifiable that all announce emails have been signed with
> the same key.
(It's a SHA1, isn't it? Not that I care terribly about that part,
other than a general preference for SHA256. :)
More importantly is that verifying the PGP signature from an archive
is not always easy. More often than not, list archives introduce
subtle whitespace damage or worse.
The other point that John made is more interesting. If cgit generates
a tarball on demand, aren't there opportunities for the hash in the
announcement mail (or a detactch signature) to become invalid? I
belive that git archive has made changes in the past to avoid
including the timestamp in the gzip archive, which helps. I don't
know if there are other ways this could change.
In the end, I don't know if it's a problem that can be solved in a way
that doesn't cause more work for you as a maintainer or the other fine
folks who are contributing. That's certainly not my intention. ;)
> On Mar 9, 2015 9:49 PM, "John Keeping" <john at keeping.me.uk> wrote:
>> It turns out that GMane mangles the list address in the message,
> Better archives:
I tried that earlier, before posting and found that it munges things
too. Mailman's munging is often due to whitespace changes and are
hard to avoid. Maybe the change to hyperkitty in Mailman 3 will
improve this aspect of the archives. ;)
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
Damn you and your estrogenical treachery!
-- Stewie Griffin
More information about the CGit