[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] Detached signatures for source files
From: |
Laurence Finston |
Subject: |
Re: [Savannah-hackers] Detached signatures for source files |
Date: |
Mon, 27 Sep 2004 15:04:22 +0200 (MEST) |
Thanks for the explanation. I don't completely understand the issues
involved yet.
On Mon, 27 Sep 2004, Brian Gough wrote:
>
> To protect against this it is necessary to include metadata such as
> the version number, tag and hash of the prior version in the signature
> so that there is an audit trail from one version to the next. One way
> is to use the --set-notation option in GPG to add this information.
I'll look this up.
>
> If you are signing tar.gz files then it's less of an issue since they
> would have the version number embedded in the tarfile directory name.
>
Actually, I'm using a single "version" number for my development versions.
They are all version 1.2.0.0. When I release an official version it will
be 1.2.0.1 or 1.2.1. The tarballs are all called `3DLDFsnp.tar.gz' so
that I can just commit a new version rather than filling up the repository
with obsolete tarballs. So if I understand you correctly, they
are also subject to metadata attacks.
Laurence