integrity checking (was: Request for Comments: new QIF Importer)

C. Gatzemeier c.gatzemeier at
Fri Jan 9 03:31:18 CST 2004

> Derek Atkins <warlord at MIT.EDU> writes
> >Christian Stimming <stimming at> writes:

> >  BTW the other day someone asked why we don't
> > offer MD5's and signatures for our gnucash and openhbci packages, as
> > they (especially with HBCI) are in fact money-critical applications. I
> > replied that we would need some audit trail which we don't have. But
> > to be honest I have no idea about what we would need to do to provide
> > meaningful signed source packages. Do you have some ideas and/or
> > pointers to documents that describe the required steps for this?
> Well, supplying MD5s for the packages just implies running md5sum over
> the package and publishing the number.  We could also create a pgp
> detached signature over the packages and put those on the web site.
> Neither of these are a tremendous amount of work, but they do add
> overhead to the packaging system.  I've never actually used the RPM
> PGP feature so I don't know how to do that.

Another thing it will need is to require all cvs commints to be signed.

More information about the gnucash-devel mailing list