integrity checking (was: Request for Comments: new QIF Importer)
C. Gatzemeier
c.gatzemeier at tu-bs.de
Fri Jan 9 03:31:18 CST 2004
> Derek Atkins <warlord at MIT.EDU> writes
> >Christian Stimming <stimming at tuhh.de> writes:
> > BTW the other day someone asked why we don't
> > offer MD5's and signatures for our gnucash and openhbci packages, as
> > they (especially with HBCI) are in fact money-critical applications. I
> > replied that we would need some audit trail which we don't have. But
> > to be honest I have no idea about what we would need to do to provide
> > meaningful signed source packages. Do you have some ideas and/or
> > pointers to documents that describe the required steps for this?
>
> Well, supplying MD5s for the packages just implies running md5sum over
> the package and publishing the number. We could also create a pgp
> detached signature over the packages and put those on the web site.
> Neither of these are a tremendous amount of work, but they do add
> overhead to the packaging system. I've never actually used the RPM
> PGP feature so I don't know how to do that.
Another thing it will need is to require all cvs commints to be signed.
More information about the gnucash-devel
mailing list