You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have not updated my little local instance since the migration from Sourceforge to Github and I wonder: why are we supposed to simply trust the released tarballs on Github, as if Github is not hackable? back in the days,
Hi - it's mostly laziness. The SourceForge release process was a bit clunky with me making a .deb and .tar.gz and then emailing that to cboltz who did something with RPM files, and then somehow that all magically got on sourceforge ....
Github is a lot easier in that respect (push a tag, go to create a new release and that's it).
Anyway, it is possible to attach a gpg signature file etc to the github release - which would do what I think you're asking. I suspect I'll need to swot up on how to do gpg signing again!
I have not updated my little local instance since the migration from Sourceforge to Github and I wonder: why are we supposed to simply trust the released tarballs on Github, as if Github is not hackable? back in the days,
between
$ wget -O postfixadmin.tgz https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.13.tar.gz
and
one would get the publishing developer's public key and verify the signature:
skipping on this looks like a regression to me?
The text was updated successfully, but these errors were encountered: