prosody-filer icon indicating copy to clipboard operation
prosody-filer copied to clipboard

Published 20 hours ago verified publisher icon ThomasLeister

Verifying sources and/or binaries

Open Gigadoc2 opened this issue 4 years ago • 3 comments

It seems that you currently do not sign the git tags or the published binary. To enable (semi-)automatic updates of prosody-filer in production, it would be nice to have some way to automatically verify that the sources used to build the binary or the downloaded binary itself is indeed still coming from you ;)

Gigadoc2 avatar Feb 04 '20 11:02 Gigadoc2

Hi! Recently I've planned to do that in the future :) (or even provide an apt repository or something similar)

Am 4. Februar 2020 12:31:17 schrieb Gigadoc2 [email protected]:

It seems that you currently do not sign the git tags or the published binary. To enable (semi-)automatic updates of prosody-filer in production, it would be nice to have some way to automatically verify that the sources used to build the binary or the downloaded binary itself is indeed still coming from you ;)— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

ThomasLeister avatar Feb 04 '20 16:02 ThomasLeister

+1 for apt repository! :)

ghost avatar Feb 20 '20 17:02 ghost

Latest commits make use of signed commits, now. I don't consider this a full solution to your wish, but it might be a first step. I'd be happy to offer you an apt repository, soon. There have been experiments already, but I don't feel confident enogh for the package maintainer / repo maintainer role, yet. So don't expect an APT repo, too soon ;)

ThomasLeister avatar May 24 '21 12:05 ThomasLeister