Re: Sign advisories?

From: Branko Čibej <brane_at_apache.org>
Date: Tue, 25 Oct 2016 19:44:28 +0200

On 25.10.2016 19:30, Daniel Shahaf wrote:
> When we do a security release, we upload a *.txt advisory to
> https://subversion.apache.org/security/ and link it from the
> announcement. That advisory isn't currently signed. Could we sign
> them?
>
> That'd be useful, since they contain patches. They are already signed
> in the "embargoed pre-notification" emails, IIRC; just not when they're
> uploaded to the site.

Should be moderately easy to do by tweaking tools/dist/advisory.py.

If we do this, I'd argue for making the files ASCII-armored PGP, not
keeping signatures separate.

-- Brane
Received on 2016-10-25 19:44:33 CEST

This message: [ Message body ]
Next message: Daniel Shahaf: "Re: Sign advisories?"
Previous message: Daniel Shahaf: "Sign advisories?"
In reply to: Daniel Shahaf: "Sign advisories?"
Next in thread: Daniel Shahaf: "Re: Sign advisories?"
Reply: Daniel Shahaf: "Re: Sign advisories?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]