Verifying sources and/or binaries #16
Comments
|
Hi! Recently I've planned to do that in the future :) (or even provide an
apt repository or something similar)
Am 4. Februar 2020 12:31:17 schrieb Gigadoc2 <[email protected]>:
… It seems that you currently do not sign the git tags or the published binary.
To enable (semi-)automatic updates of prosody-filer in production, it would
be nice to have some way to automatically verify that the sources used to
build the binary or the downloaded binary itself is indeed still coming
from you ;)—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
+1 for apt repository! :) |
|
Latest commits make use of signed commits, now. I don't consider this a full solution to your wish, but it might be a first step. I'd be happy to offer you an apt repository, soon. There have been experiments already, but I don't feel confident enogh for the package maintainer / repo maintainer role, yet. So don't expect an APT repo, too soon ;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems that you currently do not sign the git tags or the published binary.
To enable (semi-)automatic updates of prosody-filer in production, it would be nice to have some way to automatically verify that the sources used to build the binary or the downloaded binary itself is indeed still coming from you ;)
The text was updated successfully, but these errors were encountered: