[lustre-discuss] Signing important git commits and files (RPMs, DEBs) distributed on the whamcloud repository ?

[Audet, Martin]

Hello,


It would be great if the important commits, especially those corresponding to tags, were signed using a long term keys (ex: GPG, SSH or X.509, you have the choice since git supports many formats) with the corresponding public keys published on Lustre web site and their fingerprints on this mailing list for example. This would allow every user to have a better confidence in the integrity of the associated code and comply more with the end-to-end principle as the private keys would be kept preciously by the developers.


It is the same thing with the RPMs and DEBs  packages distributed over the whamcloud repository (https://downloads.whamcloud.com/public/lustre/) except that the choice of the key system is limited to GPG in this case. As you know it is the common practice to associate a public key with every remote repository to verify the authenticity of every downloaded package before installation (but it is not yet done on this repository).


Performing downloads or "git" access over "https" is better than nothing but the guaranty of integrity is way better if done by signatures closer to the original authors.

Signing keys could even be held on hardware devices such as Yubikeys as this would be both very secure and convenient for developers.


Please consider this suggestion, I am sure it would satisfy many users.


Thanks,


Martin Audet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20240126/c769540b/attachment.htm>