[liberationtech] Deterministic builds and software trust
Eleanor Saitta
ella at dymaxion.org
Thu Jun 20 18:35:25 PDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2013.06.20 04.34, Mike Perry wrote:
> We also include the full set of git hashes, version tags, and
> input source hashes in the bundles themselves, so you know exactly
> what went into your bundle if you want to try to match it at a
> later date...
Have you considered asking developers to sign commits? That seems
like it's the next step in terms of being able to verify a complete
chain of code pedigree.
E.
- --
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iF4EAREIAAYFAlHDrd0ACgkQQwkE2RkM0wqzVwEAlPJUeCUVmHJqXd+tlNhMrkUf
8oJ9xuMT71ph90IaK3kA/R+FznDuOYdSedSz3bbFNpM/q1E81cNL52jxDNzbWhpK
=Rqmp
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list