cayenne-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <...@maniatis.org>
Subject Re: [VOTE] 4.0.M5 release v2
Date Thu, 02 Mar 2017 13:49:32 GMT
On 2/3/17 8:51pm, Andrus Adamchik wrote:
> 
> 
>> On Mar 2, 2017, at 11:55 AM, Aristedes Maniatis <ari@maniatis.org> wrote:
>>
>> Would it help if we set up a Jenkins job to create the build artifacts then we have
an easier to verify chain from source checkout to artifact creation?
> 
> It most certainly will. How do we sign the files though?

There can still be a step of downloading the files from jenkins, signing and uploading. md5
hashes are still there for verifying the Jenkins output is intact.

I'm not sure how we verify that Jenkins itself isn't compromised, but perhaps we can ask what
others do.


Ari



-- 
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

Mime
View raw message