[Package verification] Signatures or hashsums
Bug #1861730 reported by
Peter J. Mello
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
asbru-cm |
In Progress
|
High
|
Ásbrú Connection Manager Project |
Bug Description
Is there any way we can verify Debian packages consistency using original maintainers signatures? I can't find any particular reason why we should blindly trust packagecloud, as they are a third-party service with their own GPG signatures that could be changed any time.
Alternatively to signatures, I would kindly ask you to at least publish SHA hashsums of .deb (and other) files on the github releases page upon each release, so we can compare them against the packages we download from packagecloud.io
To post a comment you must log in.
https:/ /github. com/asbru- cm/asbru- cm/issues/ 378