ain icon indicating copy to clipboard operation
ain copied to clipboard
verified publisher icon DeFiCh

Signed releases

Open pawn-police opened this issue 3 years ago • 1 comments

What would you like to be added:

I would like releases to be signed by core contributers that I trust in such a way that if Github or the Github account was ever compromised there would still be a way to tell if the released binaries are legitimate or not.

Why is this needed:

If releases can be signed independent from Github it would mean that two things need to go wrong at the same time instead of one:

  • Github or the Github account has been compromised
  • Private key of a trusted contributer has been compromised

pawn-police avatar Sep 09 '22 11:09 pawn-police

@pawn-police: Thanks for opening an issue, it is currently awaiting triage.

The triage/accepted label can be added by foundation members by writing /triage accepted in a comment.

Details

I am a bot created to help the DeFiCh developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the DeFiCh/oss-governance-bot repository.

defichain-bot avatar Sep 09 '22 11:09 defichain-bot