[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Absence of digital signature of TBB sources

On Apr 4, 2012, at 2:34 PM, andrew@xxxxxxxxxxxxx wrote:

> On Wed, Apr 04, 2012 at 10:44:10AM +0000, rransom.8774@xxxxxxxxx wrote 0.7K bytes in 20 lines about:
> : The official TBBs are built from the sources in Git, not from the
> : tarballs.  There probably shouldn't be any release tarballs for TBB
> : source code.
> But anyone should be able to build TBB from the source tarball. At least,
> this is how I used to build everything way back in the day when I built
> all of the packages.
> I didn't use the source repo. I tagged a release, built a source tarball,
> and then built the packages from the tarball. This way our builds were
> official, but at least others could build their own packages the same
> way we did.

In theory the (signed, of course) tags in a git repo can fulfil the same
purpose. That's probably the model we should aim for here.

I'll poke Erinn again about the existing tarball's signatures, tho
tor-talk mailing list