Devrim GÜNDÜZ <devrim at gunduz.org> writes:
> On Wed, 2010-10-13 at 13:34 -0400, Steve Singer wrote:
>
>> I've repackaged 1.2.21 and 2.0.5 to include the man1 and man7 
>> directories and updated the files on the downloads site.
>
> Now we have 2 different tarballs around having different md5sums, or
> so...

I'm not thrilled with that, but our process of generating the md5sums is
pretty "open"; it's literally a make target.

If we truly want strong checksums, then I think we'd want to formalize
the use of GPG signatures.  That's a bigger step than seems reasonable.

If someone's *really* that concerned about the provenance of the code, I
imagine they might want to check their own copy of the git repo and
generate a tarball themselves, in which case what we produce isn't of
much value anyways.

If someone was really excited about needing to sign everything, then
maybe we should consider that path, but nobody's pointed at it as an
issue thus far...
-- 
let name="cbbrowne" and tld="afilias.info" in name ^ "@" ^ tld;;
Christopher Browne
"Bother,"  said Pooh,  "Eeyore, ready  two photon  torpedoes  and lock
phasers on the Heffalump, Piglet, meet me in transporter room three"