Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify the checksum of the upstream packages, and verify if the checksum is gpg-signed #200

Open
Zlopez opened this issue Sep 27, 2018 · 0 comments
Open

Verify the checksum of the upstream packages, and verify if the checksum is gpg-signed #200

Zlopez opened this issue Sep 27, 2018 · 0 comments
Labels
type.feature

Comments

@Zlopez
Copy link
Contributor

Zlopez commented Sep 27, 2018

This feature is described here fedora-infra/anitya#191.

Example: http://www.postgresql.org/ftp/source/v9.2.0/ there is a .md5 file.

The packager could list the gpg key, and we will just check against it. The idea is to check the key didn't change from the past, rather than doing the full verification of identity.

Bonus point, we could start to rank upstream by some metrics on "being serious by using more than md5, using a proper gpg key", ie assess usage ( so checksum + signature ), and then later people using strong enough keys and checksum ( like what qualys did for SSL ).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type.feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Zlopez