Dave Page wrote:
>It's rumoured that Raphaël Enrici once said:
>
>
>>>What did you have in mind, a pgp sig for each file? I don't see that as
>>>a problem for each packager to create.
>>>
>>>
>>As RPM and DEB packages integrates gpg signatures, I just wanted to
>>know if their were a pgp/gpg key global to the pgAdmin team, something
>>that was used to sign the files of the project like binaries, sources,
>>etc. I'm ok to sign deb package by myself.
>>And wanted to know if you used by the past to sign the files ? For
>>example the source tarball and win32 packages.
>>
>>
>
>No, there is no 'global' key. That would probably be pretty insecure. I
>would think that a pgp/gpg sig from the packager would suffice - it would
>at least prove that the file hadn't been tampered. Mind you, it doesn't
>prevent someone packaging their own version and pretending they are the
>official packager. Perhaps I should sign everything
>
Dear Dave,
IMHO, you should at least sign the tarball you publish as the beta
release and all packagers should verify it against your public key
before packaging anything and they also should sign their packages with
their own keys. May be we also should publish a link to our personnal
public keys or the way to get them.
Cheers,
Raphaël
