Re: PGP signing releases

Marc G. Fournier <scrappy@hub.org>

From: "Marc G. Fournier" <scrappy@hub.org>
To: Neil Conway <neilc@samurai.com>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2003-02-03T02:23:14Z
Lists: pgsql-hackers
On Sun, 2 Feb 2003, Neil Conway wrote:

> Folks,
>
> I think we should PGP sign all the "official" packages that are provided
> for download from the various mirror sites. IMHO, this is important
> because:
>
> - ensuring that end users can trust PostgreSQL is an important part to
> getting the product used in mission-critical applications, as I'm sure
> you all know. Part of that is producing good software; another part is
> ensuring that users can trust that the software we put out hasn't been
> tampered with.

right, that is why we started to provide md5 checksums ...

> I'd volunteer to do the work myself, except that it's pretty closely
> intertwined with the release process itself...

well, if you want to tell me the steps, I'll consider it ...