Follow

Am I the only person in the universe who verifies signatures for software source tarballs? This is the *second* time I've had to report this exact same ticket on the project: github.com/etcd-io/etcd/issues

And the fact that they're replacing PGP signatures with a tool whose README (a) has a big warning that it's alpha-quality and should not be used, and (b) says that it is not a suitable replacement for PGP signatures and should not be used as such... :sad_but_cool:

Interesting because it seems they’re signing their git tags diligently: https://github.com/etcd-io/etcd/releases

I wonder what do they mean by “having access to the signing key”. Sadly there are no procedures for access described on https://coreos.com/security/app-signing-key/

Sign in to participate in the conversation
Mastodon for Tech Folks

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!