[ntp:hackers] Verifying released sources
Kurt Roeckx
kurt at roeckx.be
Sun Dec 29 22:16:29 UTC 2013
On Sun, Dec 29, 2013 at 11:35:11AM -0500, Danny Mayer wrote:
>
> If you want we could probably arrange for signed announcements that
> contain the hashsum of the release and that would take care of the issue
> of trusting the available hashsum. That would take some work to
> implement since it would require changes to the way that announcements
> go out.
I would like to see either:
- A detached signature of the tar file that can be downloaded
(like the .md5 now)
- A mail with the hash sum that is signed.
The key part being that there is a way for me to check a
signature. In either case this is probably going to require
some work.
PS: The current apt repository seems to use a 1024D key. I hope
that can be replaced by a stronger key. It only contains the
ntp-dev versions so I can't use that to verify the stable
releases.
Kurt
More information about the hackers
mailing list