[Pkg-privacy-maintainers] Packaging workflow onioncircuits
Ulrike Uhlig
ulrike at debian.org
Tue Jul 9 16:02:01 BST 2019
Hi!
On 09.07.19 13:52, intrigeri wrote:
> Ulrike Uhlig:
>> Do we agree that this tarball has no signature?
>
> It has no signature but FWIW it's in an APT repo so assuming one has
> a trust path to the Tails APT repo's signing key, it's technically
> feasible to verify the authenticity/integrity of this file (including
> its version, which one can't do with detached tarball signatures).
> I'm not saying it's easy nor fun, though :)
I'm taking this remark as a cute technical nitpick (<3), but I doubt
this is something that real people made out of flesh and stardust
actually do in practice ;(
@git verify-tag -v $VERSION@ does the job in a straightforward manner as
far as I'm concerned :)
Cheers,
Ulrike
More information about the Pkg-privacy-maintainers
mailing list