Signing releases

Dear Radicle,

Would you consider offering signed tarballs or the like for
installing? I'm afraid I'm too squeamish to install from an
unverified download. Perhaps you could publish a GPG key and later
use it to sign things?

I wish you success with the project.

路路路

--
Nick

Hi Nick,

Signing is definitely a concern for us and we discussed this in the scope of packaging 1.

Since Radicle is under heavy development we currently use a lightweight and fully automated

release process to get updates out quickly. This means for example that we implicitly trust the

CI services. How signatures would fit into this process is still a matter of discussion.

If you have any input into this or know of other projects that have a good strategy that we could

adapt please write us.

  • Thomas
路路路

On Wed, Mar 13, 2019 at 11:25 AM 鈥楴ick鈥 via Radicle radicle@monadic.xyz wrote:

Dear Radicle,

Would you consider offering signed tarballs or the like for

installing? I鈥檓 afraid I鈥檓 too squeamish to install from an

unverified download. Perhaps you could publish a GPG key and later

use it to sign things?

I wish you success with the project.

Nick