[ntp:hackers] Verifying released sources

Kurt Roeckx kurt at roeckx.be
Sun Dec 29 22:16:29 UTC 2013


On Sun, Dec 29, 2013 at 11:35:11AM -0500, Danny Mayer wrote:
> 
> If you want we could probably arrange for signed announcements that
> contain the hashsum of the release and that would take care of the issue
> of trusting the available hashsum. That would take some work to
> implement since it would require changes to the way that announcements
> go out.

I would like to see either:
- A detached signature of the tar file that can be downloaded
  (like the .md5 now)
- A mail with the hash sum that is signed.

The key part being that there is a way for me to check a
signature.  In either case this is probably going to require
some work.

PS: The current apt repository seems to use a 1024D key.  I hope
that can be replaced by a stronger key.  It only contains the
ntp-dev versions so I can't use that to verify the stable
releases.


Kurt



More information about the hackers mailing list