Web lists-archives.com

Re: [Mingw-msys] Reconstruction of MSYS-1.0.11 test results.




Hi there,

I'm not quite sure whom to contact about cryptographic signatures for
MinGW and MSYS binary releases. I've joined both mingw-users (as I'm a
user of MinGW) and mingw-msys (as I'm also an MSYS user). If there is a
better place to ask this question, please let me know.

Currently, I'm part of a team of people that uses various different
pieces of software to produce a web browser bundle[0]. We use MinGW and
MSYS to produce our builds as it is quite useful. Some of the software
we use has PGP signatures to verify the release we're compiling is free
from tampering.

However, we face an interesting challenge, it doesn't seem obvious how
we can confirm that MinGW and MSYS are free from tampering. I wasn't
able to find PGP signatures for releases. Are there any? Have I simply
overlooked them? If there aren't any, would it be possible to produce some?

The process[1] for building our project is documentd and semi-automated.
To fully automate it and ensure our package is untampered with, we'd
love to be able to verify your package releases.

Specifically, it would be great if MinGW/MSYS would use GnuPG or PGP to
sign current as well as future releases. We'd be open to other signature
methods too.

Best regards,
Jacob Appelbaum

[0] http://torbrowser.torproject.org/
[1] https://tor-svn.freehaven.net/svn/torbrowser/trunk/build-scripts/INSTALL

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Mingw-msys mailing list
Mingw-msys@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mingw-msys