[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: publish PGP-signed git bundles of gnulib?
|
From: |
Bruno Haible |
|
Subject: |
Re: publish PGP-signed git bundles of gnulib? |
|
Date: |
Tue, 10 Dec 2024 11:52:17 +0100 |
Simon Josefsson wrote:
> Why you may ask?
Yes, the question immediately comes up: What problem do you propose to solve?
> 1) If savannah is offline or compromised, having widely mirrored
> known-good offline copies of the entire gnulib repository is nice.
>
> 2) Output of 'git clone' is not serialized or use a stable format, so a
> 'tar cfz gnulib-20241210.tar.gz gnulib/' works poorly.
>
> 3) It would add PGP-style authentication and integrity checking of the
> repository. Currently we only offer HTTPS only against Savannah and the
> WebPKI is not as strong as trusting a PGP signature directly.
These three arguments apply to all packages that are hosted on savannah,
from emacs to coreutils, and from libidn to gnutls.
Do you plan to propose the same thing for essentially all GNU packages?
Or is there a specific reason why you propose it for Gnulib?
Bruno
- publish PGP-signed git bundles of gnulib?, Simon Josefsson, 2024/12/10
- Re: publish PGP-signed git bundles of gnulib?,
Bruno Haible <=
- Re: publish PGP-signed git bundles of gnulib?, Simon Josefsson, 2024/12/10
- Re: publish PGP-signed git bundles of gnulib?, Bruno Haible, 2024/12/10
- Re: publish PGP-signed git bundles of gnulib?, Simon Josefsson, 2024/12/10
- Re: publish PGP-signed git bundles of gnulib?, Bruno Haible, 2024/12/11
- Re: publish PGP-signed git bundles of gnulib?, Simon Josefsson, 2024/12/12
- Re: publish PGP-signed git bundles of gnulib?, Bruno Haible, 2024/12/12
- Re: publish PGP-signed git bundles of gnulib?, Simon Josefsson, 2024/12/12
- Re: OpenPGP keys, Bruno Haible, 2024/12/10
- Re: OpenPGP keys, Simon Josefsson, 2024/12/11
- Re: OpenPGP keys at GNU, Bruno Haible, 2024/12/11