[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Sign advisories?

From: Branko ─îibej <brane_at_apache.org>
Date: Tue, 25 Oct 2016 19:44:28 +0200

On 25.10.2016 19:30, Daniel Shahaf wrote:
> When we do a security release, we upload a *.txt advisory to
> https://subversion.apache.org/security/ and link it from the
> announcement. That advisory isn't currently signed. Could we sign
> them?
>
> That'd be useful, since they contain patches. They are already signed
> in the "embargoed pre-notification" emails, IIRC; just not when they're
> uploaded to the site.

Should be moderately easy to do by tweaking tools/dist/advisory.py.

If we do this, I'd argue for making the files ASCII-armored PGP, not
keeping signatures separate.

-- Brane
Received on 2016-10-25 19:44:33 CEST

This is an archived mail posted to the Subversion Dev mailing list.