Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 04 May 2013 05:08:06 -0400
From: Daniel Kahn Gillmor <>
To: nicolas vigier <>,
Subject: Re: upstream source code authenticity checking

On Thu 2013-04-25 10:03:15 -0400, nicolas vigier wrote:

> The good thing about PGP signed tarballs is that an automated check
> could be integrated in package build, with some standard macros or
> script to make it easy to check signature from a specific key. If it's
> easy and does not cost time then more packagers will do it.

For debian, this suggestion was made in
for the "uscan" tool, which looks for new upstream releases.

I've just supplied a patch to that bug with a simple implementation for
the common case where the signatures are distributed alongside the
tarballs with a similar name, and are made by one of a small set of
known keys.

It has some flaws, but it's certainly better than doing nothing.  I
welcome review and/or feedback and suggestions on that bug report.



Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.