Comments (10)
It's a small world! :)
Gotcha on the signature thing. I'll come out w/ something, and see if that model can be applied to all my projects, subject to scripted releases.
What would you do ideally? Just GPG-sign each published archive, and provide a .sig
file with the archive name, such that:
- For archive:
v1.23.1-armv7.tar.gz
- Signature file is:
v1.23.1-armv7.tar.gz.sig
(or:v1.23.1-armv7.sig
?)
from vigil.
I'll be back to Nantes pretty soon, currently in Prague.
On the releases signature thing: it's done! Both the archive and the
.asc
file can be downloaded, as well as my GPG key, and verified as such:Automated this in my release scripts across all my Rust OSS projects, and signed all latest releases. Thank you for suggesting this.
Oh cool, it's a very very nice city!
cc @Guileas
Maybe we can create a Rust meeting in Nantes?
Thank you so much for adding the GPG signature everywhere, it will definitely help
from vigil.
A meeting in Nantes what a good idea!
Ping me when the date is set 👍
from vigil.
Hi William,
Are you from Bretagne as well? I come from here too! Thank you for the generous sponshorship, it's really appreciated! :)
On your two suggestions:
- Signad tags: thank you for this, I did not know that tags could be signed, I only knew about signed commits. I've enabled this in my gitconfig, so all future tags pushed will be signed. I've also re-tagged
v1.23.1
w/ a signature, to test my setup:
- Signed release builds: can do that as well, but so far I've assumed that we can trust GitHub as not to alter uploaded release files, and all authorized maintainers (that is, for now, only myself) to be trustful persons to publish legit release packages. I'll see what I can do on that one too.
from vigil.
I'll be back to Nantes pretty soon, currently in Prague.
On the releases signature thing: it's done! Both the archive and the .asc
file can be downloaded, as well as my GPG key, and verified as such:
Automated this in my release scripts across all my Rust OSS projects, and signed all latest releases. Thank you for suggesting this.
from vigil.
We will be at https://eurorust.eu/ in Berlin, will you ?
Would have been interested! But unfortunately I'm not available at those dates.
from vigil.
Hi William,
Are you from Bretagne as well? I come from here too! Thank you for the generous sponshorship, it's really appreciated! :)
Yeah, I am currently in the center of Brittany 🎉
I am very happy to sponsor Rust work that will be used by my company @wdes
On your two suggestions:
- Signad tags: thank you for this, I did not know that tags could be signed, I only knew about signed commits. I've enabled this in my gitconfig, so all future tags pushed will be signed. I've also re-tagged
v1.23.1
w/ a signature, to test my setup:
That's cool! You can force push the tag if you want to make it available. It can wait for the next release
- Signed release builds: can do that as well, but so far I've assumed that we can trust GitHub as not to alter uploaded release files, and all authorized maintainers (that is, for now, only myself) to be trustful persons to publish legit release packages. I'll see what I can do on that one too.
Haha yes, but we can not trust third parties that easily (IMO). I personally think it is too easy to steal you a token or find a way to alter the artifact without anyone noticing. Having gpg signatures for the artifacts just makes sure that:
- you uploaded it
- my scripts using it will be sure nobody did alter the binary while transport
from vigil.
Yeah, will you go to France any time soon?
From what I observed most packaging people provide .asc
files. It's just --armor
signature files. .sig
files are just binary content that is no easy to copy paste if necessary
from vigil.
That's a cool idea. If you want to discuss that we may continue over email, ping me anytime!
from vigil.
We will be at https://eurorust.eu/ in Berlin, will you ?
from vigil.
Related Issues (20)
- Unable to run container HOT 2
- XMPP notifier uses deprecated APIs HOT 3
- Error unclear when server inet is "[::1]:8080" in docker
- Unexpected stops encountered every day HOT 1
- Ability to ignore downtime alerts for a list of nodes
- Support for announcements
- Not to mark as dead if graceful shutdown happens to push mode services HOT 2
- Twilio 400 Bad Request HOT 2
- Ensure that your $PATH is properly configured HOT 1
- Domain Name Setup - HTTPS HOT 1
- Template Error on index.tera HOT 1
- Can I run Vigil on a custom path? HOT 2
- Email sending fails
- I have created a single-page application for managing HTTP APIs.
- Ability to customise `metrics.push_*` per-node
- 请问如何修改页面显示时区?
- Debian packaging tweaks HOT 10
- log probe script stdout/stderr HOT 1
- ARM64 Possible? HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vigil.