goldfish icon indicating copy to clipboard operation
goldfish copied to clipboard

Published 20 hours ago verified publisher icon Caiyeon

Feature request: Signed releases

Open avanier opened this issue 7 years ago • 2 comments

Would it be possible to have signed binary releases? Right now, if I want to get binaries that I know represent the code available at a given version, I have to pull from GitHub and compile the code myself.

GPG FTW.

avanier avatar Feb 08 '18 19:02 avanier

That'd be nice indeed. You don't want fake packages to go leak all your secrets xD

Typositoire avatar Feb 08 '18 19:02 Typositoire

Yes, I have thought about signed releases and will likely do this in the future. Although, I'm not sure how far in the future. It probably won't be in the next release.

A signed package does not guarantee the source code from which it is compiled.

But the concern is valid. I, too, am paranoid, and would expect signed releases in the future.

Caiyeon avatar Feb 08 '18 21:02 Caiyeon