Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Checksums in release announcements and website

X-seq: zsh-workers 54662
From: Jörg Sommer <joerg@xxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Checksums in release announcements and website
Date: Wed, 3 Jun 2026 09:07:43 +0200
Archived-at: <https://zsh.org/workers/54662>
List-id: <zsh-workers.zsh.org>
Openpgp: id=7D2C9A23D1AEA375; url=https://jo-so.de/pgp-key.txt; preference=signencrypt

Hi,

it would be helpful to harden the chain of trust, if the release
announcement mails and the website https://zsh.sourceforge.io/releases.html
would contain checksums of the tar.xz.

And because the PGP key exists, would it be possible to sign the
announcement mail?

BTW: Having the key next to the tar is helpful, but if an attacker can
change the tar, it can also change the zsh-keyring. Having this file also at
https://zsh.sourceforge.io/ would be good.


Best regards, Jörg

-- 
Ich halte ihn zwar für einen Schurken und das was er sagt für
falsch – aber ich bin bereit mein Leben dafür einzusetzen, daß
er seine Meinung sagen kann.            (Voltaire)

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: Checksums in release announcements and website
  - From: dana

Messages sorted by: Reverse Date, Date, Thread, Author