Cryptographically signed releases

Marc Lehmann schmorp at schmorp.de
Fri Jan 3 20:51:44 CET 2014


On Fri, Jan 03, 2014 at 04:35:46PM +0100, Mariska Koch <omgoch at gmail.com> wrote:
> Can you distribute your source code (the tar.gz files) via for example
> https

What would the point of https be?

> and provide cryptographic signatures for the releases such that users
> can know that they got the software from you as and not from Mallory?

And that somehow makes it trustworthy? And how would users know that from
a signature anyway? Who would be the trust broker for the signature?

I am not convinced the added value is actually worth the effort.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\




More information about the rxvt-unicode mailing list