On Wed, Oct 10, Dmitry V. Levin wrote:
On Tue, Sep 18, 2012 at 01:37:54PM -0000, linux-pam wrote:
> #11: sign the released tarballs
> ---------------------+------------------------------
> Reporter: vbatts | Owner: pam-developers@…
> Type: defect | Status: new
> Priority: major | Component: library
> Version: | Keywords:
> Blocked By: | Blocking:
> ---------------------+------------------------------
> Previously the tarballs that landed on
kernel.org were signed by the
> trusted key 0x517D0F0E, but now the tarballs on
>
https://fedorahosted.org/releases/l/i/linux-pam/ have no signature at all.
> We not be using Linux-PAM source that does not have a trusted signature.
Well, there is a problem indeed.
Tarballs for 1.1.6 release seems to be not yet signed. The last signed
tarball at
http://www.linux-pam.org/library/ is 1.1.5, and
https://fedorahosted.org/releases/l/i/linux-pam/ contains no signatures
at all.
The last signed one is 1.1.4, because that's the last one released
on
kernel.org.
The signing was done by
master.kernel.org
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)