Re: [PATCH] build: sign tarball instead of sha256sum

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Thu 2019-03-14 22:49:44 -0300, David Bremner wrote:
> OK, so apparently this is a problem for almost every project, including
> GnuPG? That's mildly terrifying...

sigh, i know :(

> I don't mind either way, but it does seem like there is a tradeoff,
> since with the previous version I suspect many people are just not
> verifying the signature (e.g. can uscan in debian handle the sha256sum
> scheme?).

i thought about that on my bike ride home.  the right answer is "uscan
needs to be able to check signatures of this form, and Someone™ should
probably file a report in the BTS".  So I looked in the BTS, and noticed
that it's actually already filed (https://bugs.debian.org/874029) and
it's not just notmuch that has something comparable.  I've tagged that
bug as Affects: src:notmuch, i hope that's ok.

But of course the workaround for the meantime until that bug is resolved
is "the debian releases are typically made by the same human who
generates the signed tarballs so him checking his own signature doesn't
provide much in the way of additional security" :P

But I want to reduce the notmuch bus factor too, so hopefully we can get
uscan improved.

      --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]