[Owncloud] Suggestions to improve release announcements

Timothée Ravier siosm99 at gmail.com
Tue Sep 10 19:44:01 UTC 2013


There is currently no easy way to check the validity of the Owncloud
release tarballs available at owncloud.org.

In order to increase safety/security of Owncloud releases, may I suggest
you the following points:

* add the md5sum and sha256sum of the source tarball to release emails;

* sign those emails using PGP and make the public key available on
keyservers and the Owncloud website;

* add a detached PGP signature file instead of the current md5sum file
(you could keep the md5sum one on the same line as the link on the
web page, no need for an extra file).



More information about the Owncloud mailing list