27 Oct
2021
27 Oct
'21
4:05 p.m.
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Downloading binaries and executing without checking the authenticity is at least unwise.
When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem, or just come up with this idea? You could try the new issue tracker!
Regards, Simon