[kwlug-disc] Alternate 'repositories' [Was: Re: Going outside the repository]

Chris Frey cdfrey at foursquare.net
Sun Nov 16 00:02:21 EST 2014 

I don't know which is more popular, but with regards to secure distribution
of software, the hosting service is not that important.  It's the
GPG signing.

With git, you can sign your tags, and let people verify the entire
source code history.

With sourceforge, or other download and project management systems,
you do it with sum files and GPG signing.

As a software producer and consumer, I want to trust the developer, since
he is the closest to the code.  A close second is trusting the distro and
their package management systems.  GPG signing lets me do both.  The
hosting service itself is irrelevant, and I specifically don't want to
trust the server or the internet connection.  So https, while nice, is
not what I'm after when downloading software.  It would likely be better
to turn https off for software downloads, so caching can be used.

- Chris


On Wed, Nov 12, 2014 at 04:44:39PM -0500, B.S. wrote:
> So what is the favoured 'repository' these days? git(hub)?
> 
> IIRC SourceForge was THE place for quite some time. Not so much
> since. IIRC there were web issues (long since gone), then dated
> functionality issues, then I forget what. Seems noise on it has been
> quiet for quite a long time. In the sense of acceptance that whatever
> SourceForge is, it is. (And is not.)
> 
> Sourceforge bringing with it issue lists, help forums, wiki, front
> page, and so on. (Not uniquely, IIRC.) Even if it may not be pretty
> by today's standards, even after the facelift. At least some similar
> functionality of which I think I've also seen on github, if also not
> pretty.
> 
> And what's the current term for such beasts, anyways - I'm guessing
> 'repository' is not it / confusing.
> 
> Bugzilla? PPA's? Freshmeat?
> 
> 
> On 14-11-12 03:16 PM, Chris Frey wrote:
> >On Mon, Nov 10, 2014 at 02:54:50PM -0500, B.S. wrote:
> >>Don't recall what, if anything, sourceforge is/n't doing - I think
> >>md5's, but I don't recall keys.
> >
> >Sourceforge doesn't do anything extra, that I know of.  When I tried
> >to use https, it redirected me back to http.
> >
> >They just serve files.  If the project manager wants security, they
> >can sign their uploads themselves, which just becomes another file
> >from Sourceforge's perspective.
> >
> >- Chris
> >
> >
> >
> >_______________________________________________
> >kwlug-disc mailing list
> >kwlug-disc at kwlug.org
> >http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
> 
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list