Fossil SCM

Hi!

Please provide GPG-signed downloads on the download page. How can I trust the executables otherwise?

It seems that fossil allows signing of each manifest / checkin, but the executable on the downloads page are unverified.

Also it would be nice if the downloadable tar.gz or zip balls are signed.

Thanks

BB.

anonymous claiming to be bert added on 2011-04-18 12:17:05 UTC: see also: http://www.mail-archive.com/[email protected]/msg04097.html

-- this post never had any reply it seems, although DRH cares much about security and likes GPG, as far as I can see, see for example: http://www.mail-archive.com/[email protected]/msg01611.html

So I really think this request is reasonable.

drh added on 2011-04-18 12:49:18 UTC: A page showing SHA1 checksums for all download products has been placed on a separate server in a separate datacenter.