[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] savannah update

From: Paul Fisher
Subject: Re: [Savannah-hackers] savannah update
Date: Tue, 13 Jan 2004 18:51:14 -0500
User-agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.2 (gnu/linux)

Loic Dachary <address@hidden> writes:

>       I do not understand why the uploaded files must be GPG signed.
> The fact that they can be signed is a very, very good option, indeed.
> I'm unsure about the rationale behind the "must".

If savannah is to require GPG signed CVS commits (once those changes
to CVS have been made), it follows that file releases should also be
signed.  With the recently added agent authentication for GPG, signing
multiple files is a lot less time consuming than before.  An
unathenticated file upload method can always be added later if the GPG
requirement is not something that we want enforced for all projects.

>       The reason to implement such a system must be carefully
> weighted because it will impose a learning curve to all projects
> maintainers and generate a vast amount of support requests.

We're going to have to help people learn to use GPG to insure that
their software isn't trojaned in the future.  Having signed releases
is the only way to do that.

>       BTW, I very much understand why such a signature is required
> for GNU or Debian. I'm unsure for all

That's a decision that's not mine to make.  At the very least, we will
provide a secure means for projects to upload files that are GPG
signed.  If projects don't want to use it, we can provide another
means for uploading files as well.

> P.S. Could someone point me to the URL + software explaining the usage
> of this system for ? 

I'll email the file to you separately.  The directive file is the
complicated part for, and it's not required for savannah.

Example to upload foo.tar for package bar on savannah:

1. Make a detached signature for foo.tar.
2. ftp to, anonymously
3. cd to /incoming/bar
4. put foo.tar
5. put foo.tar.sig

foo.tar and foo.tar.sig will be processed by a cron job a few minutes
later, and moved into the outgoing directory for bar.  It's envisioned
that a web app will let people easily move files around / make
directories / etc.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]