asbru-cm team mailing list archive

Thread
Date

[Bug 1861730] [NEW] [Package verification] Signatures or hashsums

To: asbru-cm@xxxxxxxxxxxxxxxxxxx
From: "Peter J. Mello" <admin@xxxxxxxxxxxxxx>
Date: Mon, 03 Feb 2020 20:51:21 -0000
Reply-to: Bug 1861730 <1861730@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Is there any way we can verify Debian packages consistency using
original maintainers signatures? I can't find any particular reason why
we should blindly trust packagecloud, as they are a third-party service
with their own GPG signatures that could be changed any time.

Alternatively to signatures, I would kindly ask you to at least publish
SHA hashsums of .deb (and other) files on the github releases page upon
each release, so we can compare them against the packages we download
from packagecloud.io

** Affects: asbru-cm
     Importance: High
     Assignee: Ásbrú Connection Manager Project (asbru-cm)
         Status: In Progress


** Tags: gpg packaging

-- 
You received this bug notification because you are a member of Ásbrú
Connection Manager Project, which is a bug assignee.
https://bugs.launchpad.net/bugs/1861730

Title:
  [Package verification] Signatures or hashsums

Status in asbru-cm:
  In Progress

Bug description:
  Is there any way we can verify Debian packages consistency using
  original maintainers signatures? I can't find any particular reason
  why we should blindly trust packagecloud, as they are a third-party
  service with their own GPG signatures that could be changed any time.

  Alternatively to signatures, I would kindly ask you to at least
  publish SHA hashsums of .deb (and other) files on the github releases
  page upon each release, so we can compare them against the packages we
  download from packagecloud.io

To manage notifications about this bug go to:
https://bugs.launchpad.net/asbru-cm/+bug/1861730/+subscriptions

Follow ups

[Bug 1861730] Re: [Package verification] Signatures or hashsums
From: Peter J. Mello, 2020-02-03