From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david@tethera.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 562676DE0A9A
 for <notmuch@notmuchmail.org>; Fri, 15 Mar 2019 06:57:02 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.014
X-Spam-Level: 
X-Spam-Status: No, score=-0.014 tagged_above=-999 required=5
 tests=[AWL=-0.013, SPF_PASS=-0.001] autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id tRZNlKrf2fnE for <notmuch@notmuchmail.org>;
 Fri, 15 Mar 2019 06:57:01 -0700 (PDT)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
 by arlo.cworth.org (Postfix) with ESMTPS id BB37B6DE0B72
 for <notmuch@notmuchmail.org>; Fri, 15 Mar 2019 06:57:01 -0700 (PDT)
Received: from remotemail by fethera.tethera.net with local (Exim 4.89)
 (envelope-from <david@tethera.net>)
 id 1h4nKV-0006jz-Kl; Fri, 15 Mar 2019 09:56:59 -0400
Received: (nullmailer pid 19081 invoked by uid 1000);
 Fri, 15 Mar 2019 13:56:58 -0000
From: David Bremner <david@tethera.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Adam Majer <amajer@suse.de>,
 Carl Worth <cworth@cworth.org>, notmuch@notmuchmail.org
Subject: Re: [PATCH] build: sign tarball instead of sha256sum
In-Reply-To: <87o96cw8pb.fsf@fifthhorseman.net>
References: <87mun16gmm.fsf@wondoo.home.cworth.org>
 <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net>
 <87ftrpgjdb.fsf@fifthhorseman.net>
 <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de>
 <87tvg4wm2v.fsf@fifthhorseman.net> <87ftrobefn.fsf@tethera.net>
 <87o96cw8pb.fsf@fifthhorseman.net>
Date: Fri, 15 Mar 2019 10:56:58 -0300
Message-ID: <87wol0gs0l.fsf@tethera.net>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 13:57:02 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

>
> sure, though i'd change the .sha256.asc to be a clearsigned file instead
> of the current ASCII-armored OpenPGP message that it currently is (as
> Adam suggested elsewhere in this thread).  And we can ditch the .sha256
> itself, which doesn't seem to be doing any useful work.
>
>       --dkg

Err, wouldn't we be relying on the .sha256 file to be byte reproducible in
perpetuity then? That seems to tie us to coreutils and reduce the
options of users for verification, no?

d