Recent

Author Topic: Secure Checkout of Source  (Read 2885 times)

guest60499

  • Guest
Secure Checkout of Source
« on: November 22, 2017, 04:17:34 am »
Is it possible to securely check out the Lazarus and FreePascal Compiler sources? They are hosted on SVN so I will assume no. Are signed digests available?

I found the checksums page but if possible I would appreciate if the checksums were signed with a GPG key.

Cheers,
     guest

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11383
  • FPC developer.
Re: Secure Checkout of Source
« Reply #1 on: November 22, 2017, 01:05:33 pm »
No, currently this is not available.

guest60499

  • Guest
Re: Secure Checkout of Source
« Reply #2 on: November 23, 2017, 05:36:44 am »
Does any place exist where it would be appropriate to request those things?

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 11383
  • FPC developer.
Re: Secure Checkout of Source
« Reply #3 on: November 23, 2017, 07:03:18 am »
Bulding is currently pretty decentral, so that would first have to change.

guest60499

  • Guest
Re: Secure Checkout of Source
« Reply #4 on: November 25, 2017, 10:48:46 am »
Decentralized releases could work. E.g. if you go to verify OpenJDK releases they instruct you to import more or less every developer's key.

I think that is potentially not the best method, but it is better than nothing.

 

TinyPortal © 2005-2018