From: tmz at pobox.com (Todd Zullinger)
Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Date: Mon, 9 Mar 2015 18:42:48 -0400 [thread overview]
Message-ID: <20150309224248.GY3567@zaya.teonanacatl.net> (raw)
In-Reply-To: <CAHmME9rtdSJUKTscMnHXbghFq6TOjV7-bzqKZ=k_UF3feBuZ2A@mail.gmail.com> <CAHmME9q+VDnmM7sFf+dS2+mivLGEyw7TNdTx32pb1fm=ukuemA@mail.gmail.com>
Jason A. Donenfeld wrote:
> On Mar 8, 2015 12:35 AM, "Todd Zullinger" <tmz at pobox.com> wrote:
>> But while we're on the subject, are there PGP signatures available
>> for the cgit tarballs themselves?
>
> I include a sha256 of the tarball in the announcement emails. Those
> emails are pgp signed. My pgp key is embedded in the repo, as well,
> and it's verifiable that all announce emails have been signed with
> the same key.
(It's a SHA1, isn't it? Not that I care terribly about that part,
other than a general preference for SHA256. :)
More importantly is that verifying the PGP signature from an archive
is not always easy. More often than not, list archives introduce
subtle whitespace damage or worse.
The other point that John made is more interesting. If cgit generates
a tarball on demand, aren't there opportunities for the hash in the
announcement mail (or a detactch signature) to become invalid? I
belive that git archive has made changes in the past to avoid
including the timestamp in the gzip archive, which helps. I don't
know if there are other ways this could change.
In the end, I don't know if it's a problem that can be solved in a way
that doesn't cause more work for you as a maintainer or the other fine
folks who are contributing. That's certainly not my intention. ;)
> On Mar 9, 2015 9:49 PM, "John Keeping" <john at keeping.me.uk> wrote:
>> It turns out that GMane mangles the list address in the message,
>
> Better archives:
> http://lists.zx2c4.com/pipermail/cgit/
I tried that earlier, before posting and found that it munges things
too. Mailman's munging is often due to whitespace changes and are
hard to avoid. Maybe the change to hyperkitty in Mailman 3 will
improve this aspect of the archives. ;)
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damn you and your estrogenical treachery!
-- Stewie Griffin
next prev parent reply other threads:[~2015-03-09 22:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-07 14:46 john
2015-03-07 15:59 ` cgit
2015-03-07 17:02 ` john
2015-03-07 17:49 ` cgit
2015-03-07 18:20 ` john
2015-03-07 23:35 ` tmz
2015-03-08 10:45 ` john
2015-03-09 19:39 ` tmz
2015-03-09 20:49 ` john
2015-03-09 22:32 ` Jason
2015-03-09 22:34 ` Jason
2015-03-09 22:30 ` Jason
2015-03-09 22:42 ` tmz [this message]
2015-03-11 15:25 ` mricon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150309224248.GY3567@zaya.teonanacatl.net \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).