asbru-cm team mailing list archive

Thread
Date

[Bug 1861730] Re: [Package verification] Signatures or hashsums

To: asbru-cm@xxxxxxxxxxxxxxxxxxx
From: "Peter J. Mello" <admin@xxxxxxxxxxxxxx>
Date: Mon, 03 Feb 2020 20:56:24 -0000
Reply-to: Bug 1861730 <1861730@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

https://github.com/asbru-cm/asbru-cm/issues/378

** Bug watch added: github.com/asbru-cm/asbru-cm/issues #378
   https://github.com/asbru-cm/asbru-cm/issues/378

-- 
You received this bug notification because you are a member of Ásbrú
Connection Manager Project, which is a bug assignee.
https://bugs.launchpad.net/bugs/1861730

Title:
  [Package verification] Signatures or hashsums

Status in asbru-cm:
  In Progress

Bug description:
  Is there any way we can verify Debian packages consistency using
  original maintainers signatures? I can't find any particular reason
  why we should blindly trust packagecloud, as they are a third-party
  service with their own GPG signatures that could be changed any time.

  Alternatively to signatures, I would kindly ask you to at least
  publish SHA hashsums of .deb (and other) files on the github releases
  page upon each release, so we can compare them against the packages we
  download from packagecloud.io

To manage notifications about this bug go to:
https://bugs.launchpad.net/asbru-cm/+bug/1861730/+subscriptions

References

[Bug 1861730] [NEW] [Package verification] Signatures or hashsums
From: Peter J. Mello, 2020-02-03