ANNOUNCE: xfce4-terminal 0.8.3 released
archlinux at nicohood.de
Sun Jan 22 00:59:59 CET 2017
On 01/21/2017 07:59 PM, Landry Breuil wrote:
> On Wed, Jan 11, 2017 at 11:39 AM, NicoHood <archlinux at nicohood.de> wrote:
>> once again:
>> Could you please sign the sources and provide https downloads? Otherwise
>> we cannot securely verify the authenticity of the sources.
> Can you stop pushing your agenda upon developers ? You've been told in
> the other thread why the situation is what it is, if you want things
> to improve, get involved in the project, modify the release manager to
> generate such bloody signatures, help configuring the server for
> https, etc.. there are *plenty* of open tasks for willingful
> contributors, and as i already told you, Xfce is badly understaffed.
> Oh, and by the way, git.xfce.org is accessible over https, so grab the
> damn tags from there, and generate your own tarballs if it matters
> that much to you.
> Xfce mailing list
> Xfce at xfce.org
a GPG key is something very sensible to keep secure. It cannot just be
put on a release server that automatically signs the files. Or if so it
needs to be super secured against any attacks.
On the other hand it is super simple for the xfce developers to sign
their tarballs. You can use my gpgit script or just sign the files on
gpg --armor --detach-sign xfcetool-1.0.0.tar.xz
I am sorry, but all I can do is to kindly ask all maintainers to take
the topic GPG signing serious. I already wrote a super simple script
along with a dead simple gpg quick start documentation:
I hope all developers can take those 5 minutes to generate a key and
sign their sources.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Xfce