You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for developing this useful library. Would it be possible to include a detached signature to authenticate the release tarballs?
While simply signing git release tags or even commits would be a step in the right direction, signing the actual released artifacts would be a huge help to users concerned about code authenticity.
It's not foolproof, but if the public key is published to a keyserver like https://keyserver.ubuntu.com/ in addition to someplace independent (like a developers website or maybe even somewhere here on github), then it can be used to provide a greater degree of confidence.
Thanks for developing this useful library. Would it be possible to include a detached signature to authenticate the release tarballs?
While simply signing git release tags or even commits would be a step in the right direction, signing the actual released artifacts would be a huge help to users concerned about code authenticity.
It's not foolproof, but if the public key is published to a keyserver like https://keyserver.ubuntu.com/ in addition to someplace independent (like a developers website or maybe even somewhere here on github), then it can be used to provide a greater degree of confidence.
It looks like it should be a pretty straightforward process and would be much appreciated.
The text was updated successfully, but these errors were encountered: