Re: list of upstream tarball signing schemes?

To: debian-devel@lists.debian.org
Subject: Re: list of upstream tarball signing schemes?
From: Simon Richter <sjr@debian.org>
Date: Fri, 13 Dec 2019 14:54:14 +0100
Message-id: <[🔎] 20191213135414.GA6708@psi5.com>
In-reply-to: <[🔎] 741687795.13865.1576230935028@office.mailbox.org>
References: <[🔎] 741687795.13865.1576230935028@office.mailbox.org>

Hi,

On Fri, Dec 13, 2019 at 10:55:34AM +0100, Thomas Koch wrote:

> nix-2.3.1.tar.xz.asc - which signs the .sha256
> nix-2.3.1.tar.xz.sha256 - which contains the hash of the tarball
> nix-2.3.1.tar.xz

I'd grumble about this in the general direction of upstream. The signature
is generated over a hash of the input data in any case, so using a hash as
the input data does not gain anything, you just lose automatic
verification.

   Simon

Reply to:

Follow-Ups:
- Re: list of upstream tarball signing schemes?
  - From: Jeremy Stanley <fungi@yuggoth.org>

References:
- list of upstream tarball signing schemes?
  - From: Thomas Koch <thomas@koch.ro>

Prev by Date: Bug#946674: ITP: x2gothinclient -- X2Go Thin Client Environment
Next by Date: Core dumps are instantly removed
Previous by thread: Re: list of upstream tarball signing schemes?
Next by thread: Re: list of upstream tarball signing schemes?
Index(es):
- Date
- Thread