* * *

Author Topic: Secure Checkout of Source  (Read 1261 times)

R0b0t1

  • Full Member
  • ***
  • Posts: 174
Secure Checkout of Source
« on: November 22, 2017, 04:17:34 am »
Is it possible to securely check out the Lazarus and FreePascal Compiler sources? They are hosted on SVN so I will assume no. Are signed digests available?

I found the checksums page but if possible I would appreciate if the checksums were signed with a GPG key.

Cheers,
     R0b0t1

marcov

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6326
Re: Secure Checkout of Source
« Reply #1 on: November 22, 2017, 01:05:33 pm »
No, currently this is not available.

R0b0t1

  • Full Member
  • ***
  • Posts: 174
Re: Secure Checkout of Source
« Reply #2 on: November 23, 2017, 05:36:44 am »
Does any place exist where it would be appropriate to request those things?

marcov

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6326
Re: Secure Checkout of Source
« Reply #3 on: November 23, 2017, 07:03:18 am »
Bulding is currently pretty decentral, so that would first have to change.

R0b0t1

  • Full Member
  • ***
  • Posts: 174
Re: Secure Checkout of Source
« Reply #4 on: November 25, 2017, 10:48:46 am »
Decentralized releases could work. E.g. if you go to verify OpenJDK releases they instruct you to import more or less every developer's key.

I think that is potentially not the best method, but it is better than nothing.

 

Recent

Get Lazarus at SourceForge.net. Fast, secure and Free Open Source software downloads Open Hub project report for Lazarus