From mboxrd@z Thu Jan 1 00:00:00 1970 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 9 Mar 2015 18:42:48 -0400 Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading In-Reply-To: Message-ID: <20150309224248.GY3567@zaya.teonanacatl.net> Jason A. Donenfeld wrote: > On Mar 8, 2015 12:35 AM, "Todd Zullinger" wrote: >> But while we're on the subject, are there PGP signatures available >> for the cgit tarballs themselves? > > I include a sha256 of the tarball in the announcement emails. Those > emails are pgp signed. My pgp key is embedded in the repo, as well, > and it's verifiable that all announce emails have been signed with > the same key. (It's a SHA1, isn't it? Not that I care terribly about that part, other than a general preference for SHA256. :) More importantly is that verifying the PGP signature from an archive is not always easy. More often than not, list archives introduce subtle whitespace damage or worse. The other point that John made is more interesting. If cgit generates a tarball on demand, aren't there opportunities for the hash in the announcement mail (or a detactch signature) to become invalid? I belive that git archive has made changes in the past to avoid including the timestamp in the gzip archive, which helps. I don't know if there are other ways this could change. In the end, I don't know if it's a problem that can be solved in a way that doesn't cause more work for you as a maintainer or the other fine folks who are contributing. That's certainly not my intention. ;) > On Mar 9, 2015 9:49 PM, "John Keeping" wrote: >> It turns out that GMane mangles the list address in the message, > > Better archives: > http://lists.zx2c4.com/pipermail/cgit/ I tried that earlier, before posting and found that it munges things too. Mailman's munging is often due to whitespace changes and are hard to avoid. Maybe the change to hyperkitty in Mailman 3 will improve this aspect of the archives. ;) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damn you and your estrogenical treachery! -- Stewie Griffin