Re: [PATCH] build: sign tarball instead of sha256sum

Subject: Re: [PATCH] build: sign tarball instead of sha256sum

Date: Fri, 15 Mar 2019 10:56:58 -0300

To: Daniel Kahn Gillmor, Adam Majer, Carl Worth, notmuch@notmuchmail.org

Cc:

From: David Bremner

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

>
> sure, though i'd change the .sha256.asc to be a clearsigned file instead
> of the current ASCII-armored OpenPGP message that it currently is (as
> Adam suggested elsewhere in this thread).  And we can ditch the .sha256
> itself, which doesn't seem to be doing any useful work.
>
>       --dkg

Err, wouldn't we be relying on the .sha256 file to be byte reproducible in
perpetuity then? That seems to tie us to coreutils and reduce the
options of users for verification, no?

d
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

• Previous message (by thread): Re: [PATCH v2 1/3] build: ensure that SHA256_FILE is built

Thread:

• Adam Majer—Release signatures [inbox, unread]
  • David Bremner—Re: Release signatures [inbox, unread]
    • Carl Worth—Re: Release signatures [inbox, signed, unread]
      • David Bremner—[PATCH] build: sign tarball instead of sha256sum [inbox, notmuch::patch, notmuch::pushed, unread]
        • David Bremner—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
          • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]
            • David Bremner—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
              • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]
            • Adam Majer—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
              • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]
                • David Bremner—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                  • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]
                    • David Bremner—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                      • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]
                    • Adam Majer—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                      • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                    • Daniel Kahn Gillmor—[PATCH] build: distribute signed sha256sums [inbox, notmuch::obsolete, notmuch::patch, unread]
                      • Daniel Kahn Gillmor—[PATCH v2 1/3] build: ensure that SHA256_FILE is built [inbox, notmuch::patch, notmuch::pushed, unread]
                        • Daniel Kahn Gillmor—[PATCH v2 2/3] build: distribute signed sha256sums [inbox, notmuch::patch, notmuch::pushed, unread]
                        • Daniel Kahn Gillmor—[PATCH v2 3/3] build: Rename GPG_FILE to DETACHED_SIG_FILE [inbox, notmuch::patch, notmuch::pushed, unread]
                        • David Bremner—Re: [PATCH v2 1/3] build: ensure that SHA256_FILE is built [inbox, unread]
                • Adam Majer—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                  • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]
                    • Adam Majer—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                  • David Bremner—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, unread]
                    • Daniel Kahn Gillmor—Re: [PATCH] build: sign tarball instead of sha256sum [inbox, signed, unread]