[PATCH] build: sign tarball instead of sha256sum

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 15 01:48:55 PDT 2019


On Thu 2019-03-14 22:49:44 -0300, David Bremner wrote:
> OK, so apparently this is a problem for almost every project, including
> GnuPG? That's mildly terrifying...

sigh, i know :(

> I don't mind either way, but it does seem like there is a tradeoff,
> since with the previous version I suspect many people are just not
> verifying the signature (e.g. can uscan in debian handle the sha256sum
> scheme?).

i thought about that on my bike ride home.  the right answer is "uscan
needs to be able to check signatures of this form, and Someone™ should
probably file a report in the BTS".  So I looked in the BTS, and noticed
that it's actually already filed (https://bugs.debian.org/874029) and
it's not just notmuch that has something comparable.  I've tagged that
bug as Affects: src:notmuch, i hope that's ok.

But of course the workaround for the meantime until that bug is resolved
is "the debian releases are typically made by the same human who
generates the signed tarballs so him checking his own signature doesn't
provide much in the way of additional security" :P

But I want to reduce the notmuch bus factor too, so hopefully we can get
uscan improved.

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20190315/4b49af6f/attachment.sig>


More information about the notmuch mailing list