View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0014376mantisbtsecuritypublic2012-06-09 08:252012-09-16 17:21
Reporternextgens Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionno change required 
Summary0014376: Releases should be signed
Description

Please sign your released code to enable users to check both authentication, integrity and non-repudiation.

If possible, use an OpenPGP Compatible ASCII Armored Detached Signature.

Additional Information

Some reference material from the ASF:
https://www.apache.org/dev/release-signing#motivation

TagsNo tags attached.

Activities

dhx

dhx

2012-06-09 09:27

reporter   ~0032052

Agreed. We also need to ensure that developers are signing tags (the last release where this was the case was release-1.2.8).
dregad

dregad

2012-06-15 11:07

developer   ~0032109

With the exception of some old 1.2 alpha and 1.2.9, all Release tags are signed

$ git show release-1.2.11
tag release-1.2.11
Tagger: John Reese john@noswap.com
Date: Wed Jun 6 23:49:26 2012 -0400

Stable release 1.2.11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAABAgAGBQJP0CTHAAoJEHH8+ibEXZYObi0P/0GaDdrPT9RZUh/PKF9PG26D
2Tb88AqLyocJBnVR8cIdZdgnYlzxCuS44uayeyQSR4nw5fVk5kaEqJGaS/GBkUZ4
F580uSZA0ToHb7SBw/gEZcyRR76Ohn3Kb5Bz7RzIrLYSK+bvCHUKvq2QzytMFvyj
P+DLq25CnEUCOHf7WkVB/QMPdBCxWajoFxcLQTAa/XHvW1YtlLQC4cwHpkgpdZtJ
+f8c2MmnSPTXZjnLLVHZfWxLdd6qC1Kr6Oi0SVl5OYZIbXrP+sVDPedyKD+IHlu3
YKoSpcfyjCtjiepGAGe9ZQBdGrglqc4vJu2JWQ3+RcV+4eiwkQ0iSg61EoM6wGSy
XsOVuPKYkADzESohL8g7wsH/5r1TRBGQMTpnAvdDHWqqz26peWjj6Uf7Nb2gDe+k
NHE75tnHXwvwlr1q/X4v5FpsEjmdWGz7XzkCq6DcW1WOaRSxCSCOB7aUbwnvlRCY
s3uL8g/cwnSEF7/NZsqkHfTj3CDM7ur5G3dYkEt/52QZPLhwHFQ8PUXnk3ujKjQE
xFv4c9BBOk+vt1Xs4XfVygnmQGEL9btsbls0kKdUWv9vJ1p/2iq6RkprlK4akykZ
vuNi1GtEEV2/8d7sCJMMtlshszQQFpoHeP+wdSWb3TFPjkkHe0sUln0zjeTTQbX0
2HCI0Lp6oE7zaDX6WVw8
=OPX5
-----END PGP SIGNATURE-----

commit 7b8dad73775088f5ba3cd084e933a7247df9df82
Author: John Reese john@noswap.com
Date: Wed Jun 6 23:48:24 2012 -0400

Bump version to 1.2.11